CVE-2026-44844 GOVCERT-LU CVE debrief

Who should care

Organizations using eml_parser for automated email processing, security vendors performing email analysis, and developers building email security tools should prioritize patching. The vulnerability poses particular risk to services processing untrusted EML files from external sources without pre-validation.

Technical summary

The eml_parser library's get_raw_body_text() method recursively processes message/rfc822 attachments without enforcing a maximum recursion depth. An attacker can craft a malicious EML file with deeply nested message/rfc822 parts (approximately 120 levels) to exhaust the Python call stack, resulting in an unhandled RecursionError that terminates the parsing process. The vulnerability requires the attacker to supply a crafted EML file, with attack vectors limited by the atypical structure required—such files would fail standard RFC compliance validation. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L) reflects network attack vector, low attack complexity, partial attack requirements, no privileges required, no user interaction, and low availability impact with no confidentiality or integrity impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade eml_parser to version 3.0.1 or later to obtain the recursion depth limit fix
• Implement input validation for EML files to reject non-RFC-compliant messages before processing
• Consider implementing resource limits and timeout controls for EML parsing operations in production environments
• Monitor for anomalous EML parsing failures that may indicate attempted exploitation
• Review application logging to detect RecursionError exceptions in email processing pipelines

Evidence notes

The vulnerability description indicates that while exploitation is possible, the crafted EML file required would not pass basic RFC compliance tests, suggesting limited real-world exploitability. The fix in version 3.0.1 implements proper recursion depth limiting.

Official resources