CVE-2014-3956

low

Published 2014-06-04 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.9

Description

The sm_close_on_exec function in conf.c in sendmail before 8.14.9 has arguments in the wrong order, and consequently skips setting expected FD_CLOEXEC flags, which allows local users to access unintended high-numbered file descriptors via a custom mail-delivery program.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

{Vendor advisory: cve@mitre.org — ftp://ftp.sendmail.org/pub/sendmail/RELEASE_NOTES}

OS impact

Fedora Affected 1 release

Version	Status	Fixed in
20	Affected	—

FreeBSD Affected 1 release

Version	Status	Fixed in
—	Affected	—

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`8.14.4-6`
sid	Fixed	`8.14.4-6`
forky	Fixed	`8.14.4-6`
bullseye	Fixed	`8.14.4-6`
bookworm	Fixed	`8.14.4-6`

Application impact

Vendor	Product	Versions
hp	hpux	`{"endIncluding":"b.11.31"}`
sendmail	sendmail	`{"endIncluding":"8.14.8"}`
sendmail	sendmail	`8.6.7`
sendmail	sendmail	`8.7.6`
sendmail	sendmail	`8.7.7`
sendmail	sendmail	`8.7.8`
sendmail	sendmail	`8.7.9`
sendmail	sendmail	`8.7.10`
sendmail	sendmail	`8.8.8`
sendmail	sendmail	`8.9.0`
sendmail	sendmail	`8.9.1`
sendmail	sendmail	`8.9.2`
sendmail	sendmail	`8.9.3`
sendmail	sendmail	`8.10`
sendmail	sendmail	`8.10.0`
sendmail	sendmail	`8.10.1`
sendmail	sendmail	`8.10.2`
sendmail	sendmail	`8.11.0`
sendmail	sendmail	`8.11.1`
sendmail	sendmail	`8.11.2`
sendmail	sendmail	`8.11.3`
sendmail	sendmail	`8.11.4`
sendmail	sendmail	`8.11.5`
sendmail	sendmail	`8.11.6`
sendmail	sendmail	`8.11.7`
sendmail	sendmail	`8.12.0`
sendmail	sendmail	`8.12.1`
sendmail	sendmail	`8.12.2`
sendmail	sendmail	`8.12.3`
sendmail	sendmail	`8.12.4`
sendmail	sendmail	`8.12.5`
sendmail	sendmail	`8.12.6`
sendmail	sendmail	`8.12.7`
sendmail	sendmail	`8.12.8`
sendmail	sendmail	`8.12.9`
sendmail	sendmail	`8.12.10`
sendmail	sendmail	`8.12.11`
sendmail	sendmail	`8.13.0`
sendmail	sendmail	`8.13.1`
sendmail	sendmail	`8.13.2`
sendmail	sendmail	`8.13.3`
sendmail	sendmail	`8.13.4`
sendmail	sendmail	`8.13.5`
sendmail	sendmail	`8.13.6`
sendmail	sendmail	`8.13.7`
sendmail	sendmail	`8.13.8`
sendmail	sendmail	`8.14.0`
sendmail	sendmail	`8.14.1`
sendmail	sendmail	`8.14.2`
sendmail	sendmail	`8.14.3`
sendmail	sendmail	`8.14.4`
sendmail	sendmail	`8.14.5`
sendmail	sendmail	`8.14.6`
sendmail	sendmail	`8.14.7`

References

CWEs

CWE-200

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.