1. Ubuntu Security Notices
  2. USN-7731-1

USN-7731-1: KMail vulnerabilities

Publication date

2 September 2025

Overview

Several security issues were fixed in KMail.

Releases

Packages

  • kmail - Full featured graphical email client

Details

Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising,
Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg
Schwenk discovered that KMail could be made to leak the plaintext
of S/MIME encrypted emails when retrieving external content in emails.
Under certain configurations, if a user were tricked into opening a
specially crafted email, an attacker could possibly use this issue to
obtain the plaintext of an encrypted email. This update mitigates the
issue by preventing KMail from automatically loading external content.
This issue only affected Ubuntu 18.04 LTS. (CVE-2017-17689)

It was discovered that KMail could be made to attach files to an email
without the user's knowledge. If a user were tricked into sending an
email created by a specially crafted "mailto" link, an attacker could
possibly use this issue to obtain sensitive files. (

Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising,
Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg
Schwenk discovered that KMail could be made to leak the plaintext
of S/MIME encrypted emails when retrieving external content in emails.
Under certain configurations, if a user were tricked into opening a
specially crafted email, an attacker could possibly use this issue to
obtain the plaintext of an encrypted email. This update mitigates the
issue by preventing KMail from automatically loading external content.
This issue only affected Ubuntu 18.04 LTS. (CVE-2017-17689)

It was discovered that KMail could be made to attach files to an email
without the user's knowledge. If a user were tricked into sending an
email created by a specially crafted "mailto" link, an attacker could
possibly use this issue to obtain sensitive files. (CVE-2020-11880)

Update instructions

After a standard system update you need to restart KMail to make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
20.04 focal kmail –  4:19.12.3-0ubuntu1+esm1  
18.04 bionic kmail –  4:17.12.3-0ubuntu1+esm1  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›