MailKit, a cross-platform mail client library, suffers from a STARTTLS Response Injection vulnerability (CVE-2026-41319) in versions before 4.16.0. The vulnerability stems from the internal read buffer in SmtpStream, ImapStream, and Pop3Stream not being flushed when the underlying stream is replaced with SslStream during the STARTTLS upgrade. This flaw allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the trust boundary from plaintext to TLS. As a result, the attacker can downgrade SASL authentication mechanisms, potentially forcing weaker authentication methods. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The issue is patched in MailKit version 4.16.0.

An attacker positioned as a Man-in-the-Middle can inject malicious protocol responses during the STARTTLS upgrade, causing the client to accept attacker-injected data as if it were legitimate TLS-protected responses. This enables downgrading the SASL authentication mechanism to weaker methods like PLAIN, which can compromise authentication security. There is no direct confidentiality impact reported, but integrity of the authentication negotiation is affected. No known exploits are reported in the wild at this time.

Upgrade MailKit to version 4.16.0 or later, where this vulnerability is patched. Since the vulnerability is fixed in this version, no additional mitigation steps are required beyond applying the official update. Patch status is not explicitly stated but the vendor has released version 4.16.0 to address the issue, indicating an official fix is available.