View all Vulnerabilities

CVE-2026-32178

Improper Neutralization of Special Elements
Affects
.NET Runtime / System.Net.Mail
in
.NET
No items found.
Versions
.ASP.NET Core: >= 6.0.0 <= 6.0.39 >= 8.0.0 <= 8.0.25 >= 9.0.0 <= 9.0.14 <= 10.0.0 <= 10.0.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

.NET is a free, open-source, cross-platform framework for building modern apps and powerful cloud services. It consists of a runtime and a developer platform made up of tools, programming languages, and libraries for building many different types of applications. ASP.NET Core extends the .NET developer platform with tools and libraries specifically for building web apps. ASP.NET Core is the open-source version of ASP.NET, that runs on macOS, Linux, and Windows. ASP.NET Core was first released in 2016 and is a re-design of earlier Windows-only versions of ASP.NET.

A vulnerability (CVE-2026-32178) exists in applications using System.Net.Mail when specially crafted email address data containing carriage return and line feed sequences is accepted during mail address parsing. This can allow an unauthorized attacker to perform a spoofing attack over the network.

Per CWE-138: Improper Neutralization of Special Elements, the weakness occurs when specially crafted input is not safely neutralized before it is interpreted by a structured component, allowing an attacker to influence how the data is processed and enable spoofing behavior.

This issue affects .NET 6.0.0 <= 6.0.39 in NES-supported environments. Microsoft also serviced supported .NET releases in its April 14, 2026 security updates for .NET 8.0, .NET 9.0, and .NET 10.0.

Additionally, if you've deployed self-contained applications targeting impacted .NET 6 builds, these applications are also vulnerable and must be rebuilt and redeployed after the fixed runtime is applied.

Details

Module Info

  • Product: Any .NET application using System.Net.Mail
    • Any .NET 6.0 application running on .NET 6.0.39 or earlier.
    • Any .NET 8.0 application running on .NET 8.0.25 or earlier.
    • Any .NET 9.0 application running on .NET 9.0.14 or earlier.
    • Any .NET 10.0 application running on .NET 10.0.5 or earlier.
  • Affected components:
    • Microsoft.NETCore.App
    • System.Net.Mail
    • Affected versions:
    • .NET 6:
    • >= 6.0.0 <= 6.0.39
    • Microsoft-supported releases:
    • .NET 8.0 fixed in 8.0.26
    • .NET 9.0 fixed in 9.0.15
    • .NET 10.0 fixed in 10.0.6
    • GitHub repository:
    • System.Net.Mail: https://github.com/dotnet/runtime
    • Published packages: Download .NET (Linux, macOS, and Windows)
    • Package manager:
  • NuGet
    • Windows Installer
      • Linux package managers
      • Docker
      • Fixed in: NES for .NET 6.0.40
    • Key fixed file:
      • src/libraries/System.Net.Mail/src/System/Net/Mail/MailAddressParser.cs
  • Key tests:
    • MailAddressParserTest.cs
    • MailAddressParsingTest.cs
  • SmtpClientTest.cs
  • Vulnerable branch:
    • nes-release-6.0.39 and earlier
    • Fixed branch:
    • nes-release-6.0.40
  • Commercial support availability: HeroDevs NES for .NET

Vulnerability Info

This High-severity vulnerability is found in System.Net.Mail. The core issue lies in mail address parsing, where specially crafted address data containing embedded CR/LF sequences could be accepted instead of rejected. That malformed data can change how email identity fields are interpreted and enable spoofing scenarios during network mail handling.

Steps To Reproduce

  1. Set up a .NET project that uses System.Net.Mail.
    • Create a MailAddress or MailMessage using attacker-controlled address data.
  2. Provide specially crafted input containing embedded CR/LF sequences.
    • Example payloads include domain-literal folding such as testuser@[mail.com \r\n ].
    • Additional malformed quoted input such as "test\r\n test"@mail.com may also trigger the issue.
  3. Parse the address by constructing a MailAddress instance.
    • Use the parsed address in a MailMessage or SMTP workflow.
  4. Before the fix:
    • The parser could accept malformed address content instead of rejecting it.
    • That behavior could enable spoofed mail identity or header interpretation over the network.

Mitigation

.NET 6.x is End-of-Life and will not receive official Microsoft updates to address this issue. For more information see .NET and .NET Core official support policy.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to one of:
    • .NET Runtime >= 8.0.26
    • .NET Runtime >= 9.0.15
    • .NET Runtime >= 10.0.6
  • Leverage a commercial support partner like HeroDevs for post-EOL security support, including NES for .NET 6.0.40 or later.

Credits

  • P1hcn
Pink arrow
Pink arrow
CVE-2024-35264
CVE-2024-38229
CVE-2025-21172
CVE-2025-21173
CVE-2025-21176
CVE-2025-24070
CVE-2025-7326
CVE-2025-55315
CVE-2026-26171
CVE-2026-32178
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-32178
PROJECT Affected
.NET Runtime / System.Net.Mail
Versions Affected
.ASP.NET Core: >= 6.0.0 <= 6.0.39 >= 8.0.0 <= 8.0.25 >= 9.0.0 <= 9.0.14 <= 10.0.0 <= 10.0.5
NES Versions Affected
Published date
April 15, 2026
≈ Fix date
April 14, 2026
Fixed in
NES for .NET
Category
Improper Neutralization of Special Elements
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for .NET
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.