Stalwart Security Advisory
CVE ID: CVE-2026-26312
Publication Date: 2026-02-14
Last Updated: 2026-02-14
Summary
A denial-of-service vulnerability exists in Stalwart Mail Server where accessing a specially crafted email containing malformed nested message/rfc822 MIME parts via IMAP or JMAP causes excessive CPU and memory consumption, potentially leading to an out-of-memory condition and server crash. The malformed structure causes the mail-parser crate to produce cyclical references in its parsed representation, which Stalwart then follows indefinitely.
Affected Products and Versions
Product: Stalwart Mail and Collaboration Server
Affected Versions:
- Version 0.13.0 through 0.15.4
Fixed Versions:
Vulnerability Details
Description
The mail-parser crate used by Stalwart to parse email messages produced cyclical references in its parsed output when processing malformed MIME messages containing nested message/rfc822 parts with invalid structure. When an authenticated user accessed such a message via IMAP or JMAP and requested its body structure, Stalwart followed these cyclical references and entered an infinite loop, consuming CPU and memory until the process was terminated or the system ran out of memory.
Impact
An attacker can cause a denial of service against the Stalwart Mail Server by delivering a specially crafted email with malformed nested MIME parts to a mailbox. When any user accesses this message and requests its body structure through IMAP or JMAP, the malformed parts cause the parser to generate cyclical references, sending the server into an infinite loop that exhausts CPU and memory resources, potentially crashing the server and affecting all users.
CVSS Score
CVSS v3.1 Base Score: 6.5 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Severity Breakdown:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CWE Classification
CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
Technical Details
Root Cause
The mail-parser crate did not properly handle malformed nested MIME parts when parsing emails containing message/rfc822 content types. When a message contained nested parts with an invalid structure, the parser produced cyclical references in its parsed representation of the message. Stalwart's IMAP and JMAP handlers then traversed these references when building the body structure response, resulting in an infinite loop.
Attack Scenario
- An attacker crafts a malformed email message containing nested
message/rfc822 MIME parts with an invalid structure that causes the mail-parser crate to produce cyclical references in its parsed output.
- The attacker delivers this message to a target mailbox, either by sending it directly or by having it relayed through the server.
- When any authenticated user (including the attacker themselves) accesses the mailbox containing the malformed message and requests its body structure via an IMAP
FETCH BODYSTRUCTURE command or a JMAP Email/get request with body properties, the server follows the cyclical references in the parsed representation and enters an infinite loop.
- The infinite loop consumes increasing amounts of CPU and memory until the server process is killed by the OS out-of-memory killer or the system becomes unresponsive.
Prerequisites
- The attacker must be able to deliver an email to a mailbox on the target Stalwart server (e.g., by sending an email to a valid address on the server).
- An authenticated user must access the malformed message via IMAP or JMAP and request its body structure.
Remediation
Recommended Actions
- Immediate: Upgrade to version 0.15.5 or later.
- Short-term: Monitor server resource usage (CPU and memory) for unusual spikes that could indicate exploitation attempts. Consider setting OS-level memory limits for the Stalwart process (e.g., via
systemd MemoryMax or Docker memory limits) to prevent a full system crash.
- Long-term: Keep your Stalwart installation up to date with the latest releases to benefit from ongoing security improvements.
Upgrade Instructions
For detailed upgrade instructions, see the CHANGELOG.
If you are upgrading from v0.14.x or earlier, this version includes breaking changes. Please read the upgrading documentation for more information.
Workarounds
There are no effective workarounds for this vulnerability other than upgrading. Administrators can mitigate the impact by configuring OS-level memory limits for the Stalwart process to prevent a complete system crash, but this will not prevent the denial of service to the mail server itself.
Note: Workarounds are temporary measures and do not fully resolve the vulnerability. Upgrading is strongly recommended.
Detection
Indicators of Compromise
- Sudden, sustained spikes in CPU usage by the Stalwart process.
- Rapidly increasing memory consumption by the Stalwart process.
- Server becoming unresponsive to IMAP, JMAP, or SMTP connections.
- Out-of-memory killer (OOM killer) entries in system logs targeting the Stalwart process.
- Presence of emails with malformed deeply nested
message/rfc822 MIME parts in server mailboxes.
Log Entries
# Check system logs for OOM killer activity targeting Stalwart
journalctl -k | grep -i "out of memory"
journalctl -k | grep -i "stalwart"
# Monitor Stalwart process resource usage
ps aux | grep stalwart-mail
Timeline
- 2026-02-13: Vulnerability reported by @proxforge
- 2026-02-14: Fix developed, tested, and released in version 0.15.5
- 2026-02-14: Public disclosure
Credits
This vulnerability was discovered by @proxforge.
References
Contact Information
For questions or concerns regarding this advisory, please contact:
Security Team: hello@stalw.art
Website: https://stalw.art
To report security vulnerabilities in Stalwart, please follow our responsible disclosure policy.
Disclaimer
This advisory is provided "as is" without warranty of any kind. The information contained in this advisory is subject to change without notice.
proxforge Reporter
Stalwart Security Advisory
CVE ID: CVE-2026-26312
Publication Date: 2026-02-14
Last Updated: 2026-02-14
Summary
A denial-of-service vulnerability exists in Stalwart Mail Server where accessing a specially crafted email containing malformed nested
message/rfc822MIME parts via IMAP or JMAP causes excessive CPU and memory consumption, potentially leading to an out-of-memory condition and server crash. The malformed structure causes themail-parsercrate to produce cyclical references in its parsed representation, which Stalwart then follows indefinitely.Affected Products and Versions
Product: Stalwart Mail and Collaboration Server
Affected Versions:
Fixed Versions:
Vulnerability Details
Description
The
mail-parsercrate used by Stalwart to parse email messages produced cyclical references in its parsed output when processing malformed MIME messages containing nestedmessage/rfc822parts with invalid structure. When an authenticated user accessed such a message via IMAP or JMAP and requested its body structure, Stalwart followed these cyclical references and entered an infinite loop, consuming CPU and memory until the process was terminated or the system ran out of memory.Impact
An attacker can cause a denial of service against the Stalwart Mail Server by delivering a specially crafted email with malformed nested MIME parts to a mailbox. When any user accesses this message and requests its body structure through IMAP or JMAP, the malformed parts cause the parser to generate cyclical references, sending the server into an infinite loop that exhausts CPU and memory resources, potentially crashing the server and affecting all users.
CVSS Score
CVSS v3.1 Base Score: 6.5 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Severity Breakdown:
CWE Classification
CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
Technical Details
Root Cause
The
mail-parsercrate did not properly handle malformed nested MIME parts when parsing emails containingmessage/rfc822content types. When a message contained nested parts with an invalid structure, the parser produced cyclical references in its parsed representation of the message. Stalwart's IMAP and JMAP handlers then traversed these references when building the body structure response, resulting in an infinite loop.Attack Scenario
message/rfc822MIME parts with an invalid structure that causes themail-parsercrate to produce cyclical references in its parsed output.FETCH BODYSTRUCTUREcommand or a JMAPEmail/getrequest with body properties, the server follows the cyclical references in the parsed representation and enters an infinite loop.Prerequisites
Remediation
Recommended Actions
systemdMemoryMaxor Docker memory limits) to prevent a full system crash.Upgrade Instructions
For detailed upgrade instructions, see the CHANGELOG.
If you are upgrading from v0.14.x or earlier, this version includes breaking changes. Please read the upgrading documentation for more information.
Workarounds
There are no effective workarounds for this vulnerability other than upgrading. Administrators can mitigate the impact by configuring OS-level memory limits for the Stalwart process to prevent a complete system crash, but this will not prevent the denial of service to the mail server itself.
Note: Workarounds are temporary measures and do not fully resolve the vulnerability. Upgrading is strongly recommended.
Detection
Indicators of Compromise
message/rfc822MIME parts in server mailboxes.Log Entries
Timeline
Credits
This vulnerability was discovered by @proxforge.
References
Contact Information
For questions or concerns regarding this advisory, please contact:
Security Team: hello@stalw.art
Website: https://stalw.art
To report security vulnerabilities in Stalwart, please follow our responsible disclosure policy.
Disclaimer
This advisory is provided "as is" without warranty of any kind. The information contained in this advisory is subject to change without notice.