Home

Description

In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, an infinite loop was discovered in the TNEF decoder, which may lead to denial of service upon opening an email with a TNEF attachment.

PUBLISHED Reserved 2026-07-14 | Published 2026-07-14 | Updated 2026-07-14 | Assigner mitre




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Problem types

CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

Product status

Default status
unaffected

1.6.0 (semver) before 1.6.17
affected

1.7.0 (semver) before 1.7.2
affected

References

roundcube.net/...026/07/05/security-updates-1.6.17-and-1.7.2

github.com/roundcube/roundcubemail/releases/tag/1.7.2

github.com/...ommit/877269c79359d959a94f13c9070cab0f3389c193

github.com/...ommit/fb952956c6eaf29e963f1a718d028d66e7957ce0

github.com/roundcube/roundcubemail/releases/tag/1.6.17

github.com/...ommit/a007321346380136b3de2bd75b486b04f63c0d38

github.com/...ommit/132ac8dd5a55c8466be12de1daf84355697ffa89

cve.org (CVE-2026-62642)

nvd.nist.gov (CVE-2026-62642)

Download JSON