CVE-2026-26312 Overview
A denial-of-service vulnerability exists in Stalwart Mail Server versions 0.13.0 through 0.15.4 that allows attackers to cause excessive CPU and memory consumption by crafting a specially malformed email. The vulnerability is triggered when accessing an email containing malformed nested message/rfc822 MIME parts via IMAP or JMAP protocols. This resource exhaustion can lead to an out-of-memory condition and complete server crash, disrupting mail services for all users.
Critical Impact
Authenticated attackers can crash the entire Stalwart Mail Server by sending a single malicious email, causing service disruption for all users relying on the mail system.
Affected Products
- Stalwart Mail Server versions 0.13.0 through 0.15.4
- Systems using the affected mail-parser crate for MIME parsing
- Deployments exposing IMAP or JMAP interfaces to users
Discovery Timeline
- 2026-02-19 - CVE CVE-2026-26312 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26312
Vulnerability Analysis
This vulnerability (CWE-770: Allocation of Resources Without Limits or Throttling) affects the email parsing logic in Stalwart Mail Server. The underlying issue stems from how the mail-parser crate handles malformed nested message/rfc822 MIME parts. When presented with a specially crafted email structure, the parser produces cyclical references in its parsed representation. Stalwart Mail Server then follows these references indefinitely when processing the email via IMAP or JMAP, leading to unbounded resource consumption.
The attack requires low-privileged access to submit or store an email on the target server, which the victim then accesses through IMAP or JMAP. Once triggered, the vulnerability causes the server process to consume all available CPU cycles and memory until the system either kills the process due to out-of-memory conditions or the administrator intervenes.
Root Cause
The root cause lies in the mail-parser crate's handling of nested message/rfc822 MIME parts. When parsing malformed email structures, the crate fails to detect and prevent cyclical references in the parsed representation. The Stalwart Mail Server then traverses these circular references without any safeguards or iteration limits, resulting in an infinite loop that exhausts system resources. This represents a classic case of insufficient input validation combined with missing resource consumption limits.
Attack Vector
The attack is conducted over the network and requires the attacker to have low-level privileges (such as a valid email account) to send or store an email on the target server. The exploitation flow involves:
- Attacker crafts an email with malformed nested message/rfc822 MIME parts designed to create cyclical parsing references
- The malicious email is delivered to or stored on the Stalwart Mail Server
- When any user (including the attacker) accesses this email via IMAP or JMAP, the vulnerable parsing logic is triggered
- The server enters an infinite loop following cyclical references, consuming CPU and memory
- The server crashes due to resource exhaustion, denying service to all users
No user interaction beyond normal email access is required to trigger the vulnerability once the malicious email is in place.
Detection Methods for CVE-2026-26312
Indicators of Compromise
- Stalwart Mail Server processes exhibiting unexpectedly high CPU utilization (approaching 100%)
- Rapid memory consumption growth in the mail server process
- Server crashes or out-of-memory errors in system logs coinciding with IMAP/JMAP access
- Emails with unusually deep or complex nested message/rfc822 MIME structures in mail queues
Detection Strategies
- Monitor for anomalous resource consumption patterns in the Stalwart Mail Server process
- Implement log analysis rules to detect repeated server crashes or restarts
- Configure alerting for out-of-memory conditions on mail server hosts
- Analyze incoming emails for unusually complex MIME structures before delivery
Monitoring Recommendations
- Deploy resource monitoring on all Stalwart Mail Server instances with alerting thresholds for CPU and memory
- Implement log aggregation and analysis to correlate crash events with email access patterns
- Consider implementing rate limiting on IMAP/JMAP connections to slow potential exploitation
How to Mitigate CVE-2026-26312
Immediate Actions Required
- Upgrade Stalwart Mail Server to version 0.15.5 or later immediately
- Review recent server crashes for potential exploitation attempts
- Consider temporarily restricting access to IMAP/JMAP services if upgrade cannot be performed immediately
- Implement resource limits (cgroups, ulimits) on the mail server process as a defense-in-depth measure
Patch Information
The vulnerability has been addressed in Stalwart Mail Server version 0.15.5. Organizations running affected versions (0.13.0 through 0.15.4) should upgrade immediately. The patch addresses the cyclical reference handling in the mail-parser crate integration. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Deploy the mail server within resource-constrained containers or cgroups to prevent complete system exhaustion
- Implement network-level rate limiting on IMAP/JMAP ports
- Configure process supervisors to automatically restart the mail server if it crashes, maintaining some level of service availability
- Consider implementing email filtering upstream to detect and quarantine emails with suspicious MIME structures
# Example: Configure systemd resource limits for Stalwart Mail Server
# Edit /etc/systemd/system/stalwart.service.d/override.conf
[Service]
MemoryMax=4G
CPUQuota=80%
Restart=always
RestartSec=5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
