Vulnerability-Lookup

CVE-2026-44844 (GCVE-0-2026-44844)

Vulnerability from cvelistv5 – Published: 2026-05-26 19:49 – Updated: 2026-05-27 13:41

Title

eml_parser: Recursion DoS via nested message/rfc822 attachments

Summary

eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests. This vulnerability is fixed in 3.0.1.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-674 - Uncontrolled Recursion

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/GOVCERT-LU/eml_parser/security…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
GOVCERT-LU	eml_parser	Affected: < 3.0.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44844",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T13:41:30.265578Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T13:41:33.306Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "eml_parser",
          "vendor": "GOVCERT-LU",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests. This vulnerability is fixed in 3.0.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-26T19:49:45.723Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8"
        }
      ],
      "source": {
        "advisory": "GHSA-g47v-rwmh-r9f8",
        "discovery": "UNKNOWN"
      },
      "title": "eml_parser: Recursion DoS via nested message/rfc822 attachments"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44844",
    "datePublished": "2026-05-26T19:49:45.723Z",
    "dateReserved": "2026-05-07T21:21:48.353Z",
    "dateUpdated": "2026-05-27T13:41:33.306Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44844",
      "date": "2026-06-03",
      "epss": "0.0002",
      "percentile": "0.05867"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44844\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-26T21:16:39.163\",\"lastModified\":\"2026-06-01T18:22:32.550\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests. This vulnerability is fixed in 3.0.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-674\"}]}],\"references\":[{\"url\":\"https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"eml_parser: Recursion DoS via nested message/rfc822 attachments\", \"source\": {\"advisory\": \"GHSA-g47v-rwmh-r9f8\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"GOVCERT-LU\", \"product\": \"eml_parser\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.0.1\"}]}], \"references\": [{\"url\": \"https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8\", \"name\": \"https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests. This vulnerability is fixed in 3.0.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-674\", \"description\": \"CWE-674: Uncontrolled Recursion\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-26T19:49:45.723Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44844\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-27T13:41:30.265578Z\"}}}], \"references\": [{\"url\": \"https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-05-27T13:41:11.011Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44844\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-26T19:49:45.723Z\", \"dateReserved\": \"2026-05-07T21:21:48.353Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-26T19:49:45.723Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44844

Vulnerability from fkie_nvd - Published: 2026-05-26 21:16 - Updated: 2026-06-01 18:22

Severity

6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests. This vulnerability is fixed in 3.0.1."
    }
  ],
  "id": "CVE-2026-44844",
  "lastModified": "2026-06-01T18:22:32.550",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-26T21:16:39.163",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-674"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-G47V-RWMH-R9F8

Vulnerability from github – Published: 2026-05-08 23:12 – Updated: 2026-05-08 23:12

Summary

eml_parser has recursion DoS via nested message/rfc822 attachments

Details

Summary

EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests.

Details

The vulnerable function is EmlParser.get_raw_body_text() in eml_parser/parser.py. For every part of type multipart/*, the function iterates over its sub-parts; for every sub-part of type message/rfc822, it calls itself recursively on the inner message:

There is no depth parameter and no early-abort. CPython's default sys.recursionlimit is 1000. Each level of message/rfc822 nesting adds approximately 8 frames to the stack (parser code + stdlib _header_value_parser calls), so roughly 120 nested levels exhaust the limit.

The RecursionError is not caught anywhere along the call chain, so it propagates out of decode_email_bytes() and aborts processing of the entire message.

PoC

Environment: Python 3.12.3, eml_parser 3.0.0 (pip install eml_parser==3.0.0), default sys.recursionlimit=1000, Ubuntu 24.04 aarch64. No special configuration of EmlParser, default constructor.

Self-contained reproducer that builds the PoC and triggers the crash:

import eml_parser

def build_poc(depth=124):
    inner = b"From: a@a\r\nTo: b@b\r\nContent-Type: text/plain\r\n\r\n.\r\n"
    msg = inner
    for i in range(depth):
        b = f"B{i}".encode()
        msg = (
            b'Content-Type: multipart/mixed; boundary="' + b + b'"\r\n\r\n'
            b'--' + b + b'\r\nContent-Type: message/rfc822\r\n\r\n'
        ) + msg + b'\r\n--' + b + b'--\r\n'
    return msg

ep = eml_parser.EmlParser()
ep.decode_email_bytes(build_poc())
# RecursionError after ~76 ms on Apple Silicon (Ubuntu 24.04 aarch64).

Note that the suggested code does not produce an RFC compliant message. Resulting EML payload size: 12,369 bytes. SHA-256 of generated PoC: 00f15f635e21b4144967c2893b37425e6a6bd7b4185c557e5c7e904e1e6d18e8

The crash is deterministic on a stock install. No network, no special headers, no large attachments.

Impact

Denial of service of any pipeline that processes attacker-supplied EML files using eml_parser.

A single 12 KB email is enough to crash a worker. If the worker is a long-running process triaging multiple emails, the unhandled exception aborts processing of the whole batch unless the caller wraps the call in a broad try/except. Even then, attacker-supplied volume can keep workers in a perpetual restart loop.

The vulnerability is exploitable pre-authentication in any deployment that ingests emails from external senders which have not been subject to any kind of basic validation. Considering that email messages pass through a mail-server which does some kind of validation, messages as produced by the build_poc function would not reach eml_parser. Nonetheless recursion depth checks have been implemented to handle the described issue.

Reporter

Sebastián Alba Vives (@Sebasteuo) Independent security researcher, Senior AppSec Consultant LinkedIn: https://www.linkedin.com/in/sebastian-alba Email: sebasjosue84@gmail.com PGP: 0D1A E4C2 CFC8 894F 19EA DA24 45CD CA33 2CF8 31F4

Severity

6.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "eml_parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T23:12:51Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n`EmlParser.get_raw_body_text()` recurses unconditionally for every nested `message/rfc822` attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested `message/rfc822` parts triggers an unhandled `RecursionError` and aborts parsing of the message. A 12 KB EML file is enough to crash a worker.\nThough this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests.\n\n### Details\n\nThe vulnerable function is `EmlParser.get_raw_body_text()` in `eml_parser/parser.py`. For every part of type `multipart/*`, the function iterates over its sub-parts; for every sub-part of type `message/rfc822`, it calls itself recursively on the inner message:\n\nThere is no depth parameter and no early-abort. CPython\u0027s default `sys.recursionlimit` is 1000. Each level of `message/rfc822` nesting adds approximately 8 frames to the stack (parser code + stdlib `_header_value_parser` calls), so roughly 120 nested levels exhaust the limit.\n\nThe `RecursionError` is not caught anywhere along the call chain, so it propagates out of `decode_email_bytes()` and aborts processing of the entire message.\n\n\n### PoC\n\nEnvironment: Python 3.12.3, eml_parser 3.0.0 (`pip install eml_parser==3.0.0`), default `sys.recursionlimit=1000`, Ubuntu 24.04 aarch64. No special configuration of `EmlParser`, default constructor.\n\nSelf-contained reproducer that builds the PoC and triggers the crash:\n\n```python\nimport eml_parser\n\ndef build_poc(depth=124):\n    inner = b\"From: a@a\\r\\nTo: b@b\\r\\nContent-Type: text/plain\\r\\n\\r\\n.\\r\\n\"\n    msg = inner\n    for i in range(depth):\n        b = f\"B{i}\".encode()\n        msg = (\n            b\u0027Content-Type: multipart/mixed; boundary=\"\u0027 + b + b\u0027\"\\r\\n\\r\\n\u0027\n            b\u0027--\u0027 + b + b\u0027\\r\\nContent-Type: message/rfc822\\r\\n\\r\\n\u0027\n        ) + msg + b\u0027\\r\\n--\u0027 + b + b\u0027--\\r\\n\u0027\n    return msg\n\nep = eml_parser.EmlParser()\nep.decode_email_bytes(build_poc())\n# RecursionError after ~76 ms on Apple Silicon (Ubuntu 24.04 aarch64).\n```\n\nNote that the suggested code does not produce an RFC compliant message.\nResulting EML payload size: 12,369 bytes.\nSHA-256 of generated PoC: `00f15f635e21b4144967c2893b37425e6a6bd7b4185c557e5c7e904e1e6d18e8`\n\nThe crash is deterministic on a stock install. No network, no special headers, no large attachments.\n\n### Impact\n\nDenial of service of any pipeline that processes attacker-supplied EML files using `eml_parser`.\n\nA single 12 KB email is enough to crash a worker. If the worker is a long-running process triaging multiple emails, the unhandled exception aborts processing of the whole batch unless the caller wraps the call in a broad `try/except`. Even then, attacker-supplied volume can keep workers in a perpetual restart loop.\n\nThe vulnerability is exploitable pre-authentication in any deployment that ingests emails from external senders which have not been subject to any kind of basic validation.\nConsidering that email messages pass through a mail-server which does some kind of validation, messages as produced by the  *build_poc* function would not reach eml_parser.\nNonetheless recursion depth checks have been implemented to handle the described issue.\n\n\n### Reporter\n\nSebasti\u00e1n Alba Vives (`@Sebasteuo`)\nIndependent security researcher, Senior AppSec Consultant\nLinkedIn: https://www.linkedin.com/in/sebastian-alba\nEmail: sebasjosue84@gmail.com\nPGP: `0D1A E4C2 CFC8 894F 19EA  DA24 45CD CA33 2CF8 31F4`",
  "id": "GHSA-g47v-rwmh-r9f8",
  "modified": "2026-05-08T23:12:51Z",
  "published": "2026-05-08T23:12:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/GOVCERT-LU/eml_parser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "eml_parser has recursion DoS via nested message/rfc822 attachments"
}

MSRC_CVE-2026-44844

Vulnerability from csaf_microsoft - Published: 2026-05-02 00:00 - Updated: 2026-06-02 01:44

Summary

eml_parser: Recursion DoS via nested message/rfc822 attachments

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-44844

CWE-674 - Uncontrolled Recursion

Affected products

Known not affected 1 product

Product	Identifier	Version	Remediation
Unresolved product id: 17084-1		—

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2026-44844 eml_parser: Recursion DoS via nested message/rfc822 attachments - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-44844.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "eml_parser: Recursion DoS via nested message/rfc822 attachments",
    "tracking": {
      "current_release_date": "2026-06-02T01:44:12.000Z",
      "generator": {
        "date": "2026-06-02T07:14:05.866Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2026-44844",
      "initial_release_date": "2026-05-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-05-28T01:06:03.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2026-06-02T01:44:12.000Z",
          "legacy_version": "2",
          "number": "2",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "category": "product_name",
            "name": "azl3 perl-XML-Parser 0:2.47-2.azl3",
            "product": {
              "name": "azl3 perl-XML-Parser 0:2.47-2.azl3",
              "product_id": "1"
            }
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 perl-XML-Parser 0:2.47-2.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-44844",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "flags": [
        {
          "label": "component_not_present",
          "product_ids": [
            "17084-1"
          ]
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "GitHub_M",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "known_not_affected": [
          "17084-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-44844 eml_parser: Recursion DoS via nested message/rfc822 attachments - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-44844.json"
        }
      ],
      "title": "eml_parser: Recursion DoS via nested message/rfc822 attachments"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44844 (GCVE-0-2026-44844)

FKIE_CVE-2026-44844

GHSA-G47V-RWMH-R9F8

Summary

Details

PoC

Impact

Reporter

MSRC_CVE-2026-44844

Tags

Sightings

Nomenclature