DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32178: CVE-2026-32178: SMTP Header Injection and Protocol Smuggling in .NET System.Net.Mail

#security #cve #cybersecurity

CVE-2026-32178: SMTP Header Injection and Protocol Smuggling in .NET System.Net.Mail

Vulnerability ID: CVE-2026-32178
CVSS Score: 7.5
Published: 2026-04-14

CVE-2026-32178 is a high-severity spoofing and protocol smuggling vulnerability in the Microsoft .NET runtime and Visual Studio. The flaw stems from inadequate neutralization of carriage return and line feed (CRLF) characters within the System.Net.Mail namespace, permitting attackers to inject unauthorized SMTP headers and manipulate email routing logic.

TL;DR

Missing CRLF sanitization in the .NET System.Net.Mail library allows remote attackers to inject arbitrary SMTP headers (such as Bcc) via crafted user input, leading to unauthorized data disclosure and email spoofing.

Technical Details

  • Vulnerability Type: CRLF Injection / Protocol Smuggling
  • CWE ID: CWE-138
  • CVSS v3.1: 7.5 (High)
  • Attack Vector: Network (Remote)
  • EPSS Score: 0.00053 (16.58%)
  • Exploit Status: None (No public PoC)
  • CISA KEV: Not Listed

Affected Systems

  • .NET 10.0 Runtime
  • .NET 9.0 Runtime
  • .NET 8.0 Runtime
  • Visual Studio 2022 v17.12
  • Visual Studio 2022 v17.14
  • .NET 10.0: 10.0.0 <= version < 10.0.6 (Fixed in: 10.0.6)
  • .NET 9.0: 9.0.0 <= version < 9.0.15 (Fixed in: 9.0.15)
  • .NET 8.0: 8.0.0 <= version < 8.0.26 (Fixed in: 8.0.26)
  • Visual Studio 2022: 17.12.0 <= version < 17.12.19 (Fixed in: 17.12.19)
  • Visual Studio 2022: 17.14.0 <= version < 17.14.30 (Fixed in: 17.14.30)

Code Analysis

Commit: df1ae78

System.Net.Mail sanitization to detect and reject CRLF character injection.

Commit: a1b54a0

Fix base64 decoding error handling in Base64DecoderHelper.

Commit: b234b9a

Introduce DangerousMaxRecursionDepth to prevent XML recursion Stack Overflow.

Mitigation Strategies

  • Upgrade .NET runtimes to the patched servicing releases (10.0.6, 9.0.15, 8.0.26).
  • Implement strict application-level input validation to reject parameters containing '\r' or '\n'.
  • Configure MTAs (Postfix, Exim) to drop emails with malformed or duplicated structural headers.
  • Deploy WAF rules to inspect and sanitize user inputs mapped to email processing workflows.

Remediation Steps:

  1. Inventory all production instances utilizing the .NET 8.0, 9.0, or 10.0 runtimes.
  2. Apply the vendor-supplied runtime updates corresponding to the specific major version.
  3. Restart affected application pools and services to ensure the patched runtime components are loaded into memory.
  4. Audit application source code for direct mapping of user input to MailAddress constructors or MailMessage properties.

References

Read the full report for CVE-2026-32178 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)