CVE-2026-26312 is a resource exhaustion vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the Stalwart Mail Server, a mail and collaboration platform. Versions from 0.13.0 up to but not including 0.15.5 are vulnerable. The flaw is triggered when the server processes a specially crafted email containing malformed nested message/rfc822 MIME parts via IMAP or JMAP protocols. The malformed MIME structure causes the underlying mail-parser Rust crate to generate cyclical references in its parsed data representation. Stalwart's processing logic follows these cyclical references without limit, resulting in unbounded CPU and memory consumption. This resource exhaustion can cause the server to run out of memory and crash, leading to denial of service. The vulnerability requires an attacker to have authenticated access to the mail server to deliver or access the malicious email, but no additional user interaction is needed. The issue was addressed in Stalwart version 0.15.5 by patching the mail-parser handling to detect and break cycles, preventing infinite resource consumption. No known exploits are reported in the wild as of publication. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, unchanged scope, no confidentiality or integrity impact, but high availability impact. This vulnerability highlights the risks of insufficient input validation and resource management in mail parsing components, especially when dealing with complex MIME structures.

The primary impact of CVE-2026-26312 is denial of service due to resource exhaustion, which can cause Stalwart Mail Servers to crash or become unresponsive. This disrupts email and collaboration services, potentially halting business communications and workflows. Organizations relying on Stalwart for critical mail infrastructure may face operational downtime, loss of productivity, and increased support costs. Since the vulnerability requires authenticated access, insider threats or compromised accounts could be leveraged to exploit it. The lack of confidentiality or integrity impact means data leakage or tampering is not a concern here, but availability loss can have significant operational consequences. In environments with high mail volumes or automated mail processing, the risk of accidental triggering or targeted attacks increases. The absence of known exploits reduces immediate risk, but the medium severity score and ease of exploitation warrant prompt remediation. Organizations with regulatory requirements for uptime or service availability may face compliance risks if exploited.

To mitigate CVE-2026-26312, organizations should upgrade Stalwart Mail Server to version 0.15.5 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement strict access controls to limit authenticated user privileges and monitor for unusual IMAP or JMAP activity indicative of malformed email processing. Employ network segmentation and rate limiting on mail server interfaces to reduce exposure to malicious inputs. Administrators should enable detailed logging and alerting on resource usage spikes and mail parsing errors to detect potential exploitation attempts early. Consider deploying mail gateway filters that can detect and quarantine emails with suspicious nested MIME structures before they reach the Stalwart server. Regularly audit user accounts and enforce strong authentication to reduce the risk of compromised credentials being used to exploit this vulnerability. Finally, maintain an incident response plan to quickly recover from potential denial-of-service events.