CVE-2021-31855

low

Published — · Modified —

CVSS v3

—

CVSS v2

—

VIR risk

2.5

Description

KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages in some situations. Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g., an IMAP server) causes KMail to upload the decrypted content of the message to the remote server. With a crafted message, a user could be tricked into decrypting an encrypted message and then deleting an attachment attached to this message. If the attacker has access to the messages stored on the email server, then the attacker could read the decrypted content of the encrypted message. This occurs in ViewerPrivate::deleteAttachment in messageviewer/src/viewer/viewer_p.cpp.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-31855

OS impact

OS	Version	Status	Fixed in
arch		fixed	`21.04.0-2`
debian	bookworm	fixed	`4:20.08.3-5`
debian	bullseye	fixed	`4:20.08.3-5`

References

https://security-tracker.debian.org/tracker/CVE-2021-31855

Verify integrity in audit chain (admin only). AS-IS.