{
  "threat_severity" : "Important",
  "public_date" : "2026-04-14T18:41:05Z",
  "bugzilla" : {
    "description" : "dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw",
    "id" : "2457781",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2457781"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-138",
  "details" : [ "Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network.", "A flaw was found in the .NET runtime (System.Net.Mail) in how email address data is parsed. Improper neutralization of special characters, specifically carriage return and line feed (CR/LF) sequences, may allow specially crafted email address input to be interpreted incorrectly. An attacker could exploit this issue to perform email spoofing by injecting additional headers or altering how the email address is processed during SMTP operations" ],
  "statement" : "This Important flaw in the .NET runtime's System.Net.Mail component affects Red Hat Enterprise Linux and Red Hat Hardened Images. Improper neutralization of carriage return and line feed sequences during email address parsing can lead to SMTP command or header injection, enabling email spoofing in applications utilizing the affected .NET versions for SMTP operations.\nThe impact is primarily related to how email data is handled and interpreted. By injecting crafted header content, an attacker may influence the structure of email messages and potentially expose sensitive information included in those messages to unintended recipients.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8467",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "dotnet10.0-0:10.0.106-1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8470",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "dotnet8.0-0:8.0.126-1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8472",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "dotnet9.0-0:9.0.116-1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8468",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet8.0-0:8.0.126-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8473",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet10.0-0:10.0.106-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8475",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet9.0-0:9.0.116-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8469",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet8.0-0:8.0.126-1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8471",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet10.0-0:10.0.106-1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8474",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet9.0-0:9.0.116-1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "dotnet10.0",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "dotnet8.0",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "dotnet9.0",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-32178\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32178" ],
  "name" : "CVE-2026-32178",
  "mitigation" : {
    "value" : "Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability. Customers are advised to apply the relevant security updates when they become available.",
    "lang" : "en:us"
  },
  "csaw" : false
}