UBUNTU-CVE-2026-45067
A vulnerability in Symfony's Mime Address component allows email addresses with RFC-5322 quoted strings containing raw CRLF characters in the local-part. This can lead to injection of new mail headers or SMTP commands when the address is used in message headers or SMTP protocol lines. The issue is fixed by rejecting addresses containing line breaks in the constructor.
AI Analysis
Technical Summary
The Symfony\Component\Mime\Address constructor, which validates email addresses for the Symfony Mailer, improperly accepts addresses whose local-part is an RFC-5322 quoted string containing raw CRLF (\r\n) bytes. These embedded line breaks can be exploited to inject additional mail headers or SMTP commands when the address is emitted verbatim into message headers or SMTP MAIL FROM/RCPT TO commands. The vulnerability is addressed by patching the constructor to reject addresses containing line breaks. The fix is available in Symfony branch 5.4.
Potential Impact
An attacker can craft email addresses with embedded CRLF sequences that lead to injection of new mail headers or SMTP commands. This can potentially be used to manipulate email message structure or SMTP transactions, which may affect mail delivery or enable further attacks relying on mail header injection. No direct evidence of exploits in the wild is reported.
Mitigation Recommendations
A patch is available that updates the Address constructor to reject email addresses containing line breaks. Users should apply the official fix from Symfony branch 5.4 or later versions that include this patch. Until patched, avoid processing untrusted email addresses with the vulnerable versions.
UBUNTU-CVE-2026-45067
Description
A vulnerability in Symfony's Mime Address component allows email addresses with RFC-5322 quoted strings containing raw CRLF characters in the local-part. This can lead to injection of new mail headers or SMTP commands when the address is used in message headers or SMTP protocol lines. The issue is fixed by rejecting addresses containing line breaks in the constructor.
CVSS v4.0
Affected software
pkg:deb/ubuntu/[email protected]?arch=source&distro=xenialpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu0.1+esm2?arch=source&distro=esm-apps/bionicpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu1+esm2?arch=source&distro=esm-apps/focalpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu8+esm1?arch=source&distro=esm-apps/jammypkg:deb/ubuntu/[email protected]+dfsg-3ubuntu3+esm1?arch=source&distro=esm-apps/noblepkg:deb/ubuntu/[email protected]+dfsg-1?arch=source&distro=questingpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu1?arch=source&distro=resoluteRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Symfony\Component\Mime\Address constructor, which validates email addresses for the Symfony Mailer, improperly accepts addresses whose local-part is an RFC-5322 quoted string containing raw CRLF (\r\n) bytes. These embedded line breaks can be exploited to inject additional mail headers or SMTP commands when the address is emitted verbatim into message headers or SMTP MAIL FROM/RCPT TO commands. The vulnerability is addressed by patching the constructor to reject addresses containing line breaks. The fix is available in Symfony branch 5.4.
Potential Impact
An attacker can craft email addresses with embedded CRLF sequences that lead to injection of new mail headers or SMTP commands. This can potentially be used to manipulate email message structure or SMTP transactions, which may affect mail delivery or enable further attacks relying on mail header injection. No direct evidence of exploits in the wild is reported.
Mitigation Recommendations
A patch is available that updates the Address constructor to reject email addresses containing line breaks. Users should apply the official fix from Symfony branch 5.4 or later versions that include this patch. Until patched, avoid processing untrusted email addresses with the vulnerable versions.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- UBUNTU-CVE-2026-45067
- Osv Schema Version
- 1.7.0
- Aliases
- []
- Ecosystems
- ["Ubuntu:16.04:LTS","Ubuntu:Pro:18.04:LTS","Ubuntu:Pro:20.04:LTS","Ubuntu:Pro:22.04:LTS","Ubuntu:Pro:24.04:LTS","Ubuntu:25.10","Ubuntu:26.04:LTS"]
- Database Specific Severity
- null
- Cvss Version
- 4.0
Threat ID: 6a58b4b168715ace43da95bc
Added to database: 07/16/2026, 10:38:41 UTC
Last enriched: 07/16/2026, 12:49:24 UTC
Last updated: 07/16/2026, 12:49:24 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.