EIP-2026-114760

PRE-CVE

Debian 2.x / RedHat 6.2 / IRIX 5/6 / Solaris 2.x - Mail Reply-To Field

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114760. PoCs published by Gregory Duchemin.

AI-analyzed exploit summary This exploit leverages a vulnerability in the 'mail' console e-mail client by crafting a malicious Reply-To field with hidden shell metacharacters and backspace characters to deceive the recipient. Upon reply, arbitrary commands from a pre-placed file in /tmp are executed, potentially leading to privilege escalation.

Description

Debian 2.x / RedHat 6.2 / IRIX 5/6 / Solaris 2.x - Mail Reply-To Field

Exploits (1)

exploitdb WORKING POC VERIFIED

by Gregory Duchemin · perllocalunix

https://www.exploit-db.com/exploits/20382

View Code ZIP pw:eip

This exploit leverages a vulnerability in the 'mail' console e-mail client by crafting a malicious Reply-To field with hidden shell metacharacters and backspace characters to deceive the recipient. Upon reply, arbitrary commands from a pre-placed file in /tmp are executed, potentially leading to privilege escalation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: mail (console e-mail client, multiple vendor distributions)

No auth needed

Prerequisites: Access to send an email to the target · Target must reply to the malicious email

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1059.004 - Unix Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026