CVE-2023-51765
Description
SMTP smuggling in sendmail through 8.17.2 allows attackers to inject spoofed emails, bypassing SPF protection under certain configurations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SMTP smuggling in sendmail through 8.17.2 allows attackers to inject spoofed emails, bypassing SPF protection under certain configurations.
Vulnerability
A vulnerability exists in sendmail versions through 8.17.2 that allows SMTP smuggling in specific configurations. The issue arises because sendmail accepts . as a valid end-of-message indicator, while other popular mail servers do not recognize this sequence. When sendmail receives a message with an embedded . sequence, it may interpret it as an early end-of-message, allowing an attacker to inject a second message with a spoofed MAIL FROM address. The vulnerability is resolved in sendmail 8.18 and later versions by requiring the 'o' flag in srv_features [1][2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted email via a vulnerable sendmail server. The attacker needs network access to communicate with the SMTP server and relies on the existence of a downstream mail server that uses differing end-of-message sequences. The exploitation technique, known as SMTP smuggling, involves embedding . within an email to prematurely terminate the first message and inject a second crafted email with a spoofed sender address [1][4].
Impact
Successful exploitation allows an attacker to inject email messages with a spoofed MAIL FROM address, effectively bypassing Sender Policy Framework (SPF) protection. This can enable targeted phishing attacks and email spoofing, undermining the integrity and authenticity of email communications [1][3].
Mitigation
The vulnerability is fixed in sendmail version 8.18 and later, where the 'o' flag in srv_features must be explicitly set to allow the vulnerable behavior. Users of sendmail 8.17.2 and earlier should upgrade to version 8.18 or later. If upgrading is not immediately possible, administrators can mitigate the issue by ensuring that sendmail does not accept . as an end-of-message indicator, though the specific configuration changes are not fully detailed in the available references [1][2][4].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- osv-coords4 versionspkg:rpm/opensuse/sendmail&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/sendmail&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/sendmail&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2012pkg:rpm/suse/sendmail&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5
< 8.15.2-150000.8.12.1+ 3 more
- (no CPE)range: < 8.15.2-150000.8.12.1
- (no CPE)range: < 8.15.2-150000.8.12.1
- (no CPE)range: < 8.14.9-4.9.1
- (no CPE)range: < 8.15.2-150000.8.12.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Interpretation difference in the SMTP end-of-data sequence: sendmail accepts "
Attack vector
An attacker exploits interpretation differences in the SMTP end-of-data sequence between outbound and inbound SMTP servers. Sendmail supports `
Affected code
The vulnerability affects sendmail through version 8.17.2. The advisory does not specify exact function or file paths, but the issue lies in how sendmail interprets the end-of-data sequence in SMTP sessions — it accepts `
What the fix does
The fix is implemented in sendmail 8.18 and later versions by adding 'o' in srv_features [ref_id=1]. This configuration change alters how sendmail handles the end-of-data sequence, making it stricter and less permissive of non-standard line endings. The advisory does not provide a patch diff, but the remediation guidance is to upgrade to 8.18 or later and ensure 'o' is set in srv_features to close the smuggling vector.
Preconditions
- configThe target inbound SMTP server must be running sendmail through version 8.17.2
- configThe outbound SMTP server must accept . as a valid end-of-data sequence while the inbound server does not
- authThe attacker must be able to send SMTP data to the outbound server, typically by authenticating as a legitimate user
- inputThe attacker must craft an SMTP message containing an embedded . sequence within the message body
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
17- www.openwall.com/lists/oss-security/2023/12/24/1mitremailing-list
- www.openwall.com/lists/oss-security/2023/12/25/1mitremailing-list
- www.openwall.com/lists/oss-security/2023/12/26/5mitremailing-list
- www.openwall.com/lists/oss-security/2023/12/29/5mitremailing-list
- www.openwall.com/lists/oss-security/2023/12/30/1mitremailing-list
- www.openwall.com/lists/oss-security/2023/12/30/3mitremailing-list
- lists.debian.org/debian-lts-announce/2024/06/msg00004.htmlmitremailing-list
- access.redhat.com/security/cve/CVE-2023-51765mitre
- bugzilla.redhat.com/show_bug.cgimitre
- bugzilla.suse.com/show_bug.cgimitre
- fahrplan.events.ccc.de/congress/2023/fahrplan/events/11782.htmlmitre
- github.com/freebsd/freebsd-src/commit/5dd76dd0cc19450133aa379ce0ce4a68ae07fb39mitre
- lwn.net/Articles/956533/mitre
- sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/mitre
- www.openwall.com/lists/oss-security/2023/12/21/7mitre
- www.openwall.com/lists/oss-security/2023/12/22/7mitre
- www.youtube.com/watchmitre
News mentions
0No linked articles in our index yet.