Back to Community Threads
CVE-2026-40372 - Is Smartermail affected?
Problem reported by Jay Altemoos - 4/22/2026 at 11:09 AM
Resolved
I saw this article today:


I checked Smartermail Enterprise and the SDK is .NET 10.0.0. Is my server at risk?

We are running build 9518 and have a plan to update to the latest build available.
G
George To Replied
4/22/2026 at 5:23 PM
It may relate to Linux, macOS, or another non-Windows OS.
J
J. LaDow Replied
4/22/2026 at 6:32 PM
In theory, the underlying framework used can be upgraded.  SM has a .NET Core 10 dependency, which means 10.0.0 as a minimum.  You should be able to upgrade the underlying dependency at the OS level and be just fine.

We routinely look at the dependency level and push to the most recent version (making sure old/insecure versions are uninstalled) -- 

One of the builds we installed bundled 10.0.2 and we run with 10.0.3 without issue.

We're due to update, and will be installing 10.0.7 before running SM's installer - this keeps SM from trying to install it's own if it finds a version = or > then what's required.

BEFORE ANYTHING the real question is whether or not SM was using the broken libraries, and if so, will upgrading to the fixed versions cause data file corruption or inability to read old encrypted data if it was being calculated wrong.

Which means that before anything, BACKUPS at a minimum...
MailEnable survivor / convert --
Derek Curtis Replied
4/23/2026 at 7:29 AM
Employee Post Marked As Resolution
This CVE doesn't affect SmarterMail.

As George To pointed out, the Microsoft Security Response Center has this to say:

You are affected if all three of the following are true:

1.Your application uses Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet (directly, or through a package that depends on it such as  Microsoft.AspNetCore.DataProtection.StackExchangeRedis).
2. The NuGet copy of the library was actually loaded at runtime — not the shared framework copy. This typically means you deploy self-contained, or your installed shared framework is older than the NuGet package version.
3. Your application runs on Linux, macOS, or another non-Windows OS.

While we do have a reference to the affected DLL, we don't get it from NuGet nor from a package that depends on it. So we don't meet criteria #2.

A few other things:

1. While you can upgrade .NET out of band (as J. LaDow points out), it can be a pain for Linux. So, we do include the framework pieces of .NET updates with our own installs/upgrades. We'll be including this .NET update in this week's release.

2. Encryption won't be an issue, or breaking of any encryption, with the .NET update. SmarterMail uses a different .NET library for encryption.
Derek Curtis
CCO
SmarterTools Inc.
Jay Altemoos Replied
4/23/2026 at 9:38 AM
Thank you for the information everyone. I greatly appreciate it.
S
SmP Replied
4/24/2026 at 7:57 AM
If we're running the current SM release on Windows byitself, does that mean that we need to take more actions than just running the latest SM update once it comes out or do we need to remove the older .net versions first?
Derek Curtis Replied
4/24/2026 at 8:10 AM
Employee Post
No need to uninstall anything. Once the new Build is available, just upgrade normally. 
Derek Curtis
CCO
SmarterTools Inc.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Reset the System Administrator Username and Password (Windows)SmarterMail > Installation and Configuration
"One or more port bindings contain a certificate without a private key" Notification After UpgradingSmarterMail > Troubleshooting
Resolving JSON IssuesSmarterMail > Troubleshooting
Webmail Shows an Expired Certificate WarningSmarterMail > Troubleshooting
SmarterMail, LDAP, and Active DirectorySmarterMail > Server Configuration and Management