CVE-2026-26312
Received Received - Intake
Denial-of-Service in Stalwart Mail Server via Malformed MIME

Publication date: 2026-02-19

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
Stalwart is a mail and collaboration server. A denial-of-service vulnerability exists in Stalwart Mail Server versions 0.13.0 through 0.15.4 where accessing a specially crafted email containing malformed nested `message/rfc822` MIME parts via IMAP or JMAP causes excessive CPU and memory consumption, potentially leading to an out-of-memory condition and server crash. The malformed structure causes the `mail-parser` crate to produce cyclical references in its parsed representation, which Stalwart then follows indefinitely. Version 0.15.5 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26312
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
stalw stalwart From 0.13.0 (inc) to 0.15.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Stalwart Mail Server to version 0.15.5 or later, which contains the patch addressing the denial-of-service issue caused by malformed nested message/rfc822 MIME parts.

Executive Summary

This vulnerability exists in Stalwart Mail Server versions 0.13.0 through 0.15.4. It is a denial-of-service issue triggered when the server accesses a specially crafted email containing malformed nested message/rfc822 MIME parts via IMAP or JMAP protocols. The malformed structure causes the mail-parser component to create cyclical references in its parsed data, which the server then follows indefinitely, leading to excessive CPU and memory usage.

This excessive resource consumption can cause the server to run out of memory and crash, disrupting mail services. The issue is fixed in version 0.15.5.

Impact Analysis

The primary impact of this vulnerability is a denial-of-service condition on the Stalwart Mail Server. An attacker can send a specially crafted email that causes the server to consume excessive CPU and memory resources, potentially crashing the server.

This can lead to mail service outages, affecting availability and potentially disrupting business communications.

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26312. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart