Mutt 2.4.1 Lands With OpenSSL 4 Fixes, Alt Key Corrections, and a Theoretical IMAP Overflow Patch
The 30-year-old terminal email client posts its second point release of the 2.4 cycle, keeping the legacy MUA stable for today's systems.
Mutt 2.4.1 is out. The new patch release keeps the terminal email client stable as distros roll out newer toolchains and developers push past the 2.4.0 feature drop. Upstream maintainer Kevin J. McCarthy posted the announcement today, and the changelog is short but deliberate. It fixes OpenSSL 4 compilation, restores Alt keybindings in the foot terminal, patches an empty command line argument crash, and closes a theoretical IMAP buffer overflow.
If you haven't touched Mutt in a while, the 30-year-old MUA still occupies a fairly specific niche. It's keyboard-only, config-file-driven, and completely indifferent to your feelings. That's exactly why system administrators, security researchers, and power users keep coming back to it. You want a mail client that runs over SSH, costs you nothing in RAM, and refuses to execute embedded JavaScript? Mutt is still the reference implementation.
What 2.4 Brought to the Table
The 2.4.0 feature drop actually packed in a few meaningful changes before McCarthy moved into the patch cycle. He added explicit bindable commands for opening and closing threads, which finally gives you granular control over long mailing list dumps. There's a new $tmpdraftdir variable that defaults to /var/tmp, so composition drafts survive reboots instead of vanishing the moment your laptop sleeps. Search patterns ~C and ~L now match Bcc addresses in sent folders, and the Maildir validator got stricter by requiring all three subdirectories to exist.
The S/MIME stack also got updated to emit RFC-compliant application/pkcs7-mime and application/pkcs7-signature types instead of the deprecated vendor prefixes. Not bad for a feature release in 2026. There's a codebase reformatting cycle in there too, which means anyone maintaining external patches should be ready to bump against some merge friction. The project also deprecated the --without-wc-funcs configure flag, with plans to drop it entirely in 2.5.0.
The Patch Release Itself
The 2.4.1 fixes aren't flashy, but they cover the exact corners where Mutt tends to break in production environments. OpenSSL 4 support is critical right now. Several major distributions are beginning to ship the new library, and Mutt had been failing to compile cleanly against it.
The commit log shows the exact work McCarthy did. a739e126 prevents an unsigned int overflow in imap_cmd_step buffer growth by aligning the data structure with a size_t loop counter. It's a theoretical issue since IMAP servers will never push a single line past 4GB, but leaving a buffer overflow in a network-facing parser is just asking for trouble. 7bfd91dc tackles the OpenSSL 4 build failures. 7f8a0929 strips an ncurses meta() call to restore Alt keybindings in the foot terminal, which had been throwing off the key translation layer. And f0aA370b5 guards against empty -A, -a, and -Q flags that previously triggered a crash.
It's a solid, no-nonsense patch. Exactly what you'd want to see in a stable point release.
For what it's worth, Mutt's development model hasn't changed much since Brendan Cully handed stewardship to McCarthy around 2018. The upstream repository lives on GitLab under the muttmua organization, and the project still leans on a benevolent dictator model. If you're chasing features that haven't made it upstream, the NeoMutt fork remains the gathering point for unmerged patches, including experimental sidebar tweaks and Notmuch integration improvements.
You can grab the tarball directly from here, or follow the instructions from here. McCarthy asks that you verify the signature file against his public key before running anything. The project's mailing lists (mutt-dev, mutt-users, mutt-hackers, mutt-announce) are still hosted at lists.mutt.org, and the issue tracker is right where you'd expect it on GitLab.
