PatchSiren cyber security CVE debrief
CVE-2026-41319 jstedfast CVE debrief
CVE-2026-41319 is a STARTTLS response-injection issue in MailKit versions prior to 4.16.0. A man-in-the-middle can place attacker-controlled protocol responses into the plaintext phase, and those bytes may be treated as trusted after the connection upgrades to TLS. The practical result is authentication integrity loss, including the ability to downgrade SASL mechanism selection (for example, steering a client away from SCRAM-SHA-256 toward PLAIN).
- Vendor
- jstedfast
- Product
- MailKit
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-24
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-04-24
- Advisory updated
- 2026-05-21
Who should care
Teams using MailKit before 4.16.0 in SMTP, IMAP, or POP3 workflows that rely on STARTTLS and authenticated mail transport, especially where connections may traverse untrusted networks or hostile intermediaries.
Technical summary
The issue is caused by internal read buffers in SmtpStream, ImapStream, and Pop3Stream not being flushed when the underlying stream is replaced with SslStream during STARTTLS negotiation. That leaves pre-TLS attacker-injected bytes available for later parsing as if they were legitimate post-TLS server responses. This can let a MitM influence protocol state and authentication-mechanism negotiation across the plaintext-to-TLS trust boundary. The vendor advisory and NVD record both identify 4.16.0 as the fixed release.
Defensive priority
Medium, with higher urgency for deployments that use STARTTLS over untrusted networks or depend on stronger SASL mechanisms for authentication integrity.
Recommended defensive actions
- Upgrade MailKit to 4.16.0 or later everywhere the library is used.
- Review SMTP, IMAP, and POP3 clients for STARTTLS handling and verify they are not relying on vulnerable versions.
- Treat mechanism downgrade during authentication negotiation as a security event and log/alert on unexpected SASL selection changes.
- Retest any custom mail transport wrappers or connection abstractions after upgrading to ensure the patched buffering behavior is in place.
- If you cannot upgrade immediately, reduce exposure by avoiding untrusted network paths for mail authentication traffic and prioritizing transport-layer protections where available.
Evidence notes
The CVE record was published on 2026-04-24 and NVD last modified it on 2026-05-21. The NVD record reports CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (6.5, Medium) and lists vulnerable CPE coverage ending before 4.16.0. The vendor advisory linked from the record states that the internal read buffer is not flushed during STARTTLS upgrade in SmtpStream, ImapStream, and Pop3Stream, enabling response injection across the plaintext-to-TLS boundary.
Official resources
-
CVE-2026-41319 CVE record
CVE.org
-
CVE-2026-41319 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
Publicly disclosed in the CVE/NVD record on 2026-04-24 and updated in NVD on 2026-05-21; the linked vendor advisory provides the primary remediation details.