Listen to this Post
How CVE-2026-32178 Works
A remote attacker could exploit a parsing flaw in the System.Net.Mail component, specifically within the MailAddress functionality. This vulnerability allows for SMTP (Simple Mail Transfer Protocol) Command Injection and Header Injection. The issue arises due to improper neutralization of special elements (CWE-138), where specially crafted data is processed. By injecting malicious commands into email headers, an attacker can manipulate the SMTP session or email content. Successful exploitation could lead to the disclosure of sensitive information. The attack vector is network-based, requires no privileges, and no user interaction (CVSS: AV:N/AC:L/PR:N/UI:N). This can be used to spoof legitimate senders, bypass authentication, or trick users into performing unintended actions. The vulnerability affects .NET 8.0, 9.0, and 10.0 on all platforms and architectures. Attack complexity is low, making this a significant threat for enterprise applications. The vulnerability is classified as a spoofing attack, with a CVSS base score of 7.5 (High). Microsoft has released patches as part of the April 14, 2026 servicing updates. Proof-of-concept code is not publicly available, but the flaw is considered reproducible. This vulnerability underscores the importance of strict input validation in email handling routines.
dailycve form
Platform: All .NET
Version: 8.0,9.0,10.0
Vulnerability : SMTP/Header Injection
Severity: High (7.5)
date: 2026-04-14
Prediction: Patch already available
What Undercode Say:
Analytics
Check installed .NET versions dotnet --info List vulnerable packages in project dotnet list package --vulnerable Update .NET runtime (Ubuntu/Debian example) sudo apt-get update && sudo apt-get install dotnet-runtime-8.0 Update self-contained app (recompile and redeploy) dotnet publish -c Release -r linux-x64 --self-contained
Exploit:
Crafted email data injects SMTP commands via MailAddress parsing flaw. Example: "Attacker <[email protected]>\r\nBCC: [email protected]".
Protection from this CVE
Update to patched versions: .NET 8.0.26+, 9.0.15+, or 10.0.6+. Restart all apps after update.
Impact
Sensitive info disclosure via spoofed emails, bypassing authentication, enabling further attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

