mail.local in Sendmail 8.10.x does not properly identify the .\n string which identifies the end of message text, which allows a remote attacker to cause a denial of service or corrupt mailboxes via a message line that is 2047 characters long and ends in .\n.

Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.

Local users can start Sendmail in daemon mode and gain root privileges.