CVE-2017-17688

Name: CVE-2017-17688
Creator: NVD / NIST
Published: 2018-05-16T19:29:00.223+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 5.57%

Last modified Jun 17, 2026

CVE-2017-17688 is a vulnerability of currently unknown severity. The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification. EPSS estimates a 5.57% chance of exploitation in the next 30 days.

Description

The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification

Metrics

EPSS Probability

5.57%

91.9th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
Apple	Mail	All versions
Bloop	Airmail	All versions
Emclient	Emclient	All versions
Flipdogsolutions	Maildroid	All versions
Freron	Mailmate	All versions
Horde	Horde Imp	All versions
Microsoft	Outlook	2007
Mozilla	Thunderbird	All versions
Postbox-Inc	Postbox	All versions
R2mail2	R2mail2	All versions
Roundcube	Webmail	All versions

References

http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.htmlThird Party Advisory
http://www.securityfocus.com/bid/104162Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1040904Third Party Advisory, VDB Entry
https://efail.deExploit, Mitigation, Third Party Advisory
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.htmlThird Party Advisory
https://news.ycombinator.com/item?id=17066419Issue Tracking, Third Party Advisory
https://protonmail.com/blog/pgp-vulnerability-efailIssue Tracking, Third Party Advisory
https://twitter.com/matthew_d_green/status/995996706457243648Third Party Advisory
https://www.patreon.com/posts/cybersecurity-15-18814817Issue Tracking, Third Party Advisory
https://www.synology.com/support/security/Synology_SA_18_22Third Party Advisory
http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.htmlThird Party Advisory
http://www.securityfocus.com/bid/104162Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1040904Third Party Advisory, VDB Entry
https://efail.deExploit, Mitigation, Third Party Advisory
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.htmlThird Party Advisory
https://news.ycombinator.com/item?id=17066419Issue Tracking, Third Party Advisory
https://protonmail.com/blog/pgp-vulnerability-efailIssue Tracking, Third Party Advisory
https://twitter.com/matthew_d_green/status/995996706457243648Third Party Advisory
https://www.patreon.com/posts/cybersecurity-15-18814817Issue Tracking, Third Party Advisory
https://www.synology.com/support/security/Synology_SA_18_22Third Party Advisory

Timeline

Published: May 16, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-17688?

How severe is CVE-2017-17688?

Severity scoring for CVE-2017-17688 is pending analysis. The EPSS model estimates a 5.57% probability of exploitation in the next 30 days.

How do I fix CVE-2017-17688?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-17688?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST