Skip to main content

Ox Dovecot Pro CVE-2026-27859

| EUVDEUVD-2026-16571 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-03-27 OX
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM
qualitative
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 13:49 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 08:30 euvd
EUVD-2026-16571
Analysis Generated
Mar 27, 2026 - 08:30 vuln.today
CVE Published
Mar 27, 2026 - 08:10 nvd
MEDIUM 5.3

DescriptionCVE.org

A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail delivery process to consume large amounts of CPU time. Use MTA capabilities to limit RFC 2231 MIME parameters in mail messages, or upgrade to fixed version where the processing is limited. No publicly available exploits are known.

AnalysisAI

OX Dovecot Pro mail delivery processes consume excessive CPU resources when processing mail messages containing abnormally high numbers of RFC 2231 MIME parameters, enabling remote denial of service without authentication or user interaction. Unauthenticated remote attackers can craft malicious MIME messages to trigger algorithmic complexity in parameter parsing, degrading mail service availability. No public exploit code is currently known, and patch availability has not been independently confirmed from the provided advisory reference.

Technical ContextAI

RFC 2231 defines encoding mechanisms for MIME parameter values, particularly for non-ASCII character representation in Content-Disposition and Content-Type headers. The vulnerability resides in the LMTP (Local Mail Transfer Protocol) component of OX Dovecot Pro, which handles mail delivery and parameter processing. The root cause is classified as CWE-400 (Uncontrolled Resource Consumption), indicating that the MIME parameter parsing logic lacks adequate bounds checking or algorithmic complexity limits. When a single mail message contains an excessive quantity of RFC 2231 parameters, the parser enters a resource-exhaustion state, consuming disproportionate CPU cycles. This is a classic algorithmic complexity attack vector where input validation fails to constrain the computational cost of parsing operations.

RemediationAI

Upgrade OX Dovecot Pro to the patched version released by Open-Xchange (exact version number to be confirmed from the vendor advisory at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json). As an interim mitigation pending patching, implement MTA-level RFC 2231 parameter limits to reject or truncate messages with excessive MIME parameters, leveraging native mail server policy controls. Network-level rate limiting on SMTP/LMTP connections can reduce the impact of malicious message floods. Until patching is completed, monitor mail delivery processes for sustained high CPU consumption and establish alerts on LMTP resource utilization anomalies.

CVE-2026-27851 CRITICAL
9.1 May 12

Authentication-layer injection in OX Dovecot Pro (versions up to and including 2.4.3 and 3.1.4) arises from a flaw in th

CVE-2026-24031 HIGH
8.2 Mar 27

Authentication bypass and user enumeration in OX Dovecot Pro (versions up to and including 3.1.0 and the 2.4.x line up t

CVE-2025-59032 HIGH
7.5 Mar 27

OX Dovecot Pro ManageSieve service crashes when processing AUTHENTICATE commands with SASL initial responses using liter

CVE-2026-27858 HIGH
7.5 Mar 27

OX Dovecot Pro managesieve-login process crashes repeatedly due to memory exhaustion triggered by unauthenticated attack

CVE-2026-27857 HIGH
7.5 Mar 27

Remote memory-exhaustion denial of service in OX Dovecot Pro (versions up to and including 2.3.0) lets an unauthenticate

CVE-2026-27856 MEDIUM
5.9 Mar 27

OX Dovecot Pro's doveadm HTTP service is vulnerable to timing oracle attacks during credential verification, allowing re

CVE-2025-59028 MEDIUM
5.3 Mar 27

OX Dovecot Pro authentication server becomes disconnected when processing invalid base64 SASL data, causing all concurre

CVE-2026-0394 MEDIUM
5.3 Mar 27

Path traversal in OX Dovecot Pro allows unauthenticated remote attackers to read arbitrary files such as /etc/passwd whe

CVE-2025-59031 MEDIUM
4.3 Mar 27

Dovecot's text conversion script for OOXML attachments unsafely processes zip-style files, allowing authenticated attack

CVE-2026-42006 MEDIUM
4.3 May 12

OX Dovecot Pro allows authenticated attackers to cause uncontrolled memory consumption and denial of service via excessi

CVE-2026-40020 LOW
3.1 May 12

OX Dovecot Pro is vulnerable to IMAP SETACL command injection that allows authenticated users to bypass the imap_acl_all

Vendor StatusVendor

Ubuntu

Priority: Medium
dovecot
Release Status Version
trusty needed -
xenial needed -
bionic needed -
focal needed -
jammy needed -
noble needed -
questing needed -
upstream released 2.4.3

Debian

dovecot
Release Status Fixed Version Urgency
bullseye vulnerable 1:2.3.13+dfsg1-2+deb11u1 -
bullseye (security) vulnerable 1:2.3.13+dfsg1-2+deb11u2 -
bookworm, bookworm (security) vulnerable 1:2.3.19.1+dfsg1-2.1+deb12u1 -
trixie vulnerable 1:2.4.1+dfsg1-6+deb13u3 -
trixie (security) vulnerable 1:2.4.1+dfsg1-6+deb13u1 -
forky, sid vulnerable 1:2.4.2+dfsg1-4 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-27859 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy