CVE-2026-26312
📋 TL;DR
A denial-of-service vulnerability in Stalwart Mail Server allows attackers to crash the server by sending specially crafted emails with malformed nested MIME parts. This affects organizations running Stalwart Mail Server versions 0.13.0 through 0.15.4. The vulnerability causes excessive CPU and memory consumption leading to server crashes.
💻 Affected Systems
- Stalwart Mail Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete mail server outage affecting all email services, requiring manual restart and potentially causing data loss or corruption.
Likely Case
Temporary service disruption affecting IMAP/JMAP access, requiring server restart and causing user downtime.
If Mitigated
Limited impact with proper monitoring and rapid response, potentially causing brief service interruption.
🎯 Exploit Status
Exploitation requires sending specially crafted emails, which typically requires authentication. However, compromised accounts or open relays could enable exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.15.5
Vendor Advisory: https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-jm95-876q-c9gw
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Stop Stalwart Mail Server service. 3. Update to version 0.15.5 using your package manager or from source. 4. Verify the update completed successfully. 5. Restart the Stalwart Mail Server service.
🔧 Temporary Workarounds
Disable IMAP/JMAP Access
allTemporarily disable IMAP and JMAP protocols to prevent exploitation while planning upgrade.
# Edit Stalwart configuration to disable IMAP and JMAP protocols
# Typically in /etc/stalwart/config.toml or similar location
# Set imap.enabled = false and jmap.enabled = false
Rate Limiting
allImplement rate limiting on IMAP/JMAP connections to reduce impact of potential attacks.
# Configure rate limiting in Stalwart configuration
# Example: imap.rate_limit = "10/minute"
# Adjust based on your environment needs
🧯 If You Can't Patch
- Implement strict email filtering to block emails with deeply nested MIME structures
- Deploy network monitoring and alerting for abnormal CPU/memory usage patterns
🔍 How to Verify
Check if Vulnerable:
Check Stalwart version using stalwart --version or check package manager. If version is between 0.13.0 and 0.15.4 inclusive, system is vulnerable.Check Version:
stalwart --versionVerify Fix Applied:
After updating, verify version is 0.15.5 or higher using stalwart --version command.📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes
- Memory exhaustion warnings
- Server crash/restart events
- Unusual IMAP/JMAP connection patterns
Network Indicators:
- Multiple IMAP/JMAP connections with large email downloads
- Unusual email delivery patterns with complex MIME structures
SIEM Query:
source="stalwart.logs" AND ("out of memory" OR "panic" OR "crash" OR cpu_usage>90) OR (protocol="IMAP" OR protocol="JMAP") AND bytes_transferred>1000000