Skip to main content

OX Dovecot Pro CVE-2026-27857

| EUVDEUVD-2026-16567 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-03-27 OX GHSA-j26c-8p6m-gpfj
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote, unauthenticated, low-complexity command abuse (AV:N/AC:L/PR:N/UI:N) causing process kill and dropped connections; availability-only (A:H), no confidentiality or integrity impact, unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Ubuntu
MEDIUM
qualitative
SUSE
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jun 30, 2026 - 04:41 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:41 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:24 NVD
MEDIUM HIGH
CVSS changed
Jun 30, 2026 - 03:24 NVD
4.3 (MEDIUM) 7.5 (HIGH)
Patch released
Mar 31, 2026 - 13:49 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 08:30 euvd
EUVD-2026-16567
Analysis Generated
Mar 27, 2026 - 08:30 vuln.today
CVE Published
Mar 27, 2026 - 08:10 nvd
MEDIUM 4.3

DescriptionNVD

Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.

AnalysisAI

Remote memory-exhaustion denial of service in OX Dovecot Pro (versions up to and including 2.3.0) lets an unauthenticated network attacker exhaust process memory by sending NOOP commands containing thousands of nested parentheses. Each such command consumes roughly 1 MB, and by withholding the terminating line-feed the attacker keeps the allocation alive; ~1000 concurrent connections from even a single source IP can pin around 1 GB, breaching the process VSZ limit and killing the service along with its proxied connections. There is no public exploit identified at time of analysis (EPSS 0.04%, percentile 12; CISA SSVC exploitation=none), but the vector is trivial and a vendor patch is available.

Technical ContextAI

Dovecot Pro is Open-Xchange's commercial, hardened build of the Dovecot IMAP/POP3 mail server and proxy, widely used by mail-hosting providers as the back-end and front-end MDA/proxy layer. The flaw is classed as CWE-400 (Uncontrolled Resource Consumption): the command parser allocates memory proportional to the depth/count of parenthesis tokens supplied with a NOOP command (~1 MB for 4000 open+close pairs) without bounding total per-connection or per-process allocation, and that memory is not freed while the command line remains unterminated (no LF received). The affected component is identified by CPE cpe:2.3:a:open-xchange_gmbh:ox_dovecot_pro across all versions through 2.3.0. Because the parser tolerates arbitrarily many connections each holding a partial command, an attacker can multiply the per-connection cost until the kernel/ulimit VSZ ceiling forces the process to be killed.

RemediationAI

Install the fixed version supplied by Open-Xchange - the vendor states explicitly that upgrading is the only remediation and that no workaround exists. Patch is available per the vendor advisory (oxdc-adv-2026-0001 at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json); the exact fixed build should be taken from that CSAF or from your distribution's package update rather than guessed. Distribution users should apply the corresponding errata: Ubuntu USN-8136-1 (https://ubuntu.com/security/notices/USN-8136-1), the relevant Red Hat RHSA (e.g. access.redhat.com/errata/RHSA-2026:19364), or the Debian security update for their release. Until patched, the only compensating controls are operational: place per-IP connection-rate and concurrent-connection limits in front of the IMAP/POP3 listener (e.g. firewall/conntrack or a load-balancer connection cap) to blunt the 1000-connection amplification, and consider raising the process VSZ/ulimit headroom - but note these only raise the bar and do not eliminate the exhaustion, and aggressive per-IP limits risk impacting legitimate clients behind shared NAT.

CVE-2026-27851 CRITICAL
9.1 May 12

Authentication-layer injection in OX Dovecot Pro (versions up to and including 2.4.3 and 3.1.4) arises from a flaw in th

CVE-2026-24031 HIGH
8.2 Mar 27

Authentication bypass and user enumeration in OX Dovecot Pro (versions up to and including 3.1.0 and the 2.4.x line up t

CVE-2025-59032 HIGH
7.5 Mar 27

OX Dovecot Pro ManageSieve service crashes when processing AUTHENTICATE commands with SASL initial responses using liter

CVE-2026-27858 HIGH
7.5 Mar 27

OX Dovecot Pro managesieve-login process crashes repeatedly due to memory exhaustion triggered by unauthenticated attack

CVE-2026-27856 MEDIUM
5.9 Mar 27

OX Dovecot Pro's doveadm HTTP service is vulnerable to timing oracle attacks during credential verification, allowing re

CVE-2025-59028 MEDIUM
5.3 Mar 27

OX Dovecot Pro authentication server becomes disconnected when processing invalid base64 SASL data, causing all concurre

CVE-2026-0394 MEDIUM
5.3 Mar 27

Path traversal in OX Dovecot Pro allows unauthenticated remote attackers to read arbitrary files such as /etc/passwd whe

CVE-2026-27859 MEDIUM
5.3 Mar 27

OX Dovecot Pro mail delivery processes consume excessive CPU resources when processing mail messages containing abnormal

CVE-2025-59031 MEDIUM
4.3 Mar 27

Dovecot's text conversion script for OOXML attachments unsafely processes zip-style files, allowing authenticated attack

CVE-2026-42006 MEDIUM
4.3 May 12

OX Dovecot Pro allows authenticated attackers to cause uncontrolled memory consumption and denial of service via excessi

CVE-2026-40020 LOW
3.1 May 12

OX Dovecot Pro is vulnerable to IMAP SETACL command injection that allows authenticated users to bypass the imap_acl_all

Vendor StatusVendor

Ubuntu

Priority: Medium
dovecot
Release Status Version
trusty not-affected code not present
xenial not-affected code not present
bionic not-affected code not present
focal needed -
jammy needed -
noble needed -
questing needed -
upstream released 2.4.3

Debian

dovecot
Release Status Fixed Version Urgency
bullseye vulnerable 1:2.3.13+dfsg1-2+deb11u1 -
bullseye (security) vulnerable 1:2.3.13+dfsg1-2+deb11u2 -
bookworm, bookworm (security) vulnerable 1:2.3.19.1+dfsg1-2.1+deb12u1 -
trixie vulnerable 1:2.4.1+dfsg1-6+deb13u3 -
trixie (security) vulnerable 1:2.4.1+dfsg1-6+deb13u1 -
forky, sid vulnerable 1:2.4.2+dfsg1-4 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-27857 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy