NET Spoofing Vulnerability, CVE-2026-32178 (High)

Listen to this Post

How CVE-2026-32178 Works

A remote attacker could exploit a parsing flaw in the System.Net.Mail component, specifically within the MailAddress functionality. This vulnerability allows for SMTP (Simple Mail Transfer Protocol) Command Injection and Header Injection. The issue arises due to improper neutralization of special elements (CWE-138), where specially crafted data is processed. By injecting malicious commands into email headers, an attacker can manipulate the SMTP session or email content. Successful exploitation could lead to the disclosure of sensitive information. The attack vector is network-based, requires no privileges, and no user interaction (CVSS: AV:N/AC:L/PR:N/UI:N). This can be used to spoof legitimate senders, bypass authentication, or trick users into performing unintended actions. The vulnerability affects .NET 8.0, 9.0, and 10.0 on all platforms and architectures. Attack complexity is low, making this a significant threat for enterprise applications. The vulnerability is classified as a spoofing attack, with a CVSS base score of 7.5 (High). Microsoft has released patches as part of the April 14, 2026 servicing updates. Proof-of-concept code is not publicly available, but the flaw is considered reproducible. This vulnerability underscores the importance of strict input validation in email handling routines.

dailycve form

Platform: All .NET
Version: 8.0,9.0,10.0
Vulnerability : SMTP/Header Injection
Severity: High (7.5)
date: 2026-04-14

Prediction: Patch already available

What Undercode Say:

Analytics

Check installed .NET versions
dotnet --info
List vulnerable packages in project
dotnet list package --vulnerable
Update .NET runtime (Ubuntu/Debian example)
sudo apt-get update && sudo apt-get install dotnet-runtime-8.0
Update self-contained app (recompile and redeploy)
dotnet publish -c Release -r linux-x64 --self-contained

Exploit:

Crafted email data injects SMTP commands via MailAddress parsing flaw. Example: "Attacker <[email protected]>\r\nBCC: [email protected]".

Protection from this CVE

Update to patched versions: .NET 8.0.26+, 9.0.15+, or 10.0.6+. Restart all apps after update.

Impact

Sensitive info disclosure via spoofed emails, bypassing authentication, enabling further attacks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top