{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26312", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-13T16:27:51.806Z", "datePublished": "2026-02-19T21:05:11.788Z", "dateUpdated": "2026-02-20T19:58:25.519Z"}, "containers": {"cna": {"title": "Stalwart Mail Server has Out-of-Memory Denial of Service via Malformed Nested MIME Messages", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-jm95-876q-c9gw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-jm95-876q-c9gw"}], "affected": [{"vendor": "stalwartlabs", "product": "stalwart", "versions": [{"version": ">= 0.13.0, < 0.15.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T21:05:11.788Z"}, "descriptions": [{"lang": "en", "value": "Stalwart is a mail and collaboration server. A denial-of-service vulnerability exists in Stalwart Mail Server versions 0.13.0 through 0.15.4 where accessing a specially crafted email containing malformed nested `message/rfc822` MIME parts via IMAP or JMAP causes excessive CPU and memory consumption, potentially leading to an out-of-memory condition and server crash. The malformed structure causes the `mail-parser` crate to produce cyclical references in its parsed representation, which Stalwart then follows indefinitely. Version 0.15.5 contains a patch."}], "source": {"advisory": "GHSA-jm95-876q-c9gw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T19:57:47.994070Z", "id": "CVE-2026-26312", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T19:58:25.519Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26312", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T19:57:47.994070Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T19:58:09.368Z"}}], "cna": {"title": "Stalwart Mail Server has Out-of-Memory Denial of Service via Malformed Nested MIME Messages", "source": {"advisory": "GHSA-jm95-876q-c9gw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "stalwartlabs", "product": "stalwart", "versions": [{"status": "affected", "version": ">= 0.13.0, < 0.15.5"}]}], "references": [{"url": "https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-jm95-876q-c9gw", "name": "https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-jm95-876q-c9gw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Stalwart is a mail and collaboration server. A denial-of-service vulnerability exists in Stalwart Mail Server versions 0.13.0 through 0.15.4 where accessing a specially crafted email containing malformed nested `message/rfc822` MIME parts via IMAP or JMAP causes excessive CPU and memory consumption, potentially leading to an out-of-memory condition and server crash. The malformed structure causes the `mail-parser` crate to produce cyclical references in its parsed representation, which Stalwart then follows indefinitely. Version 0.15.5 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T21:05:11.788Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26312", "state": "PUBLISHED", "dateUpdated": "2026-02-20T19:58:25.519Z", "dateReserved": "2026-02-13T16:27:51.806Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T21:05:11.788Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stalw:stalwart:*:*:*:*:*:*:*:*", "matchCriteriaId": "05786B85-A8FE-4E13-888E-E84AA2D30990", "versionEndExcluding": "0.15.5", "versionStartIncluding": "0.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Stalwart is a mail and collaboration server. A denial-of-service vulnerability exists in Stalwart Mail Server versions 0.13.0 through 0.15.4 where accessing a specially crafted email containing malformed nested `message/rfc822` MIME parts via IMAP or JMAP causes excessive CPU and memory consumption, potentially leading to an out-of-memory condition and server crash. The malformed structure causes the `mail-parser` crate to produce cyclical references in its parsed representation, which Stalwart then follows indefinitely. Version 0.15.5 contains a patch."}], "id": "CVE-2026-26312", "lastModified": "2026-02-20T19:40:52.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-19T21:18:31.823", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-jm95-876q-c9gw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.13.0,0.15.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "stalwart", "source": "cna", "vendor": "stalwartlabs"}, "product": "stalwart", "vendor": "stalwartlabs"}], "analysis": {"en": {"generated_at": "2026-04-17T17:53:24.206015+00:00", "value": {"mitigation_remediation": ["Upgrade Stalwart Mail Server to version 0.15.5 or later, which contains the fix for the parser cycle issue.", "If an upgrade is not immediately possible, monitor memory and CPU utilization of the mail-parser process and limit concurrent parsing of large or deeply nested messages.\n", "Configure firewall or access controls to restrict IMAP/JMAP access to trusted clients, and consider implementing rate limits to reduce the chance of a resource exhaustion attack."], "summary": {"action": "Patch ASAP", "impact": "Out-of-Memory Denial of Service"}, "threat_synthesis": {"affected_systems": "Stalwart Mail Server versions 0.13.0 through 0.15.4 are affected. All deployments that expose IMAP or JMAP interfaces to potentially hostile external users could be impacted. Version 0.15.5 includes the required patch.", "description_and_impact": "A malformed MIME structure in Stalwart Mail Server emails triggers the mail-parser crate to create circular references. The server follows these references indefinitely, consuming excessive CPU and memory until the process crashes. The vulnerability is a classic resource exhaustion flaw, categorized as CWE-770, that can halt mail service availability without compromising confidentiality or integrity.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, but the EPSS score of less than 1% suggests a low probability of exploitation under current conditions. The attack vector is inferred to be remote, requiring an attacker to send a specifically crafted email via IMAP or JMAP. Once the malicious message is accessed, the server experiences rapid resource drain, leading to an out-of-memory condition and crash."}}}}, "created": "2026-02-20T09:53:56.235107+00:00", "updated": "2026-04-17T18:00:12.180317+00:00", "vendors": ["stalwartlabs", "stalwartlabs$PRODUCT$stalwart"]}