EUVD-2026-29473
GHSA-h665-fh45-xq6r
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionNVD
An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.
AnalysisAI
OX Dovecot Pro allows authenticated attackers to cause uncontrolled memory consumption and denial of service via excessive open braces in IMAP commands, bypassing the incomplete fix from CVE-2026-27857 which only blocked closing braces. An attacker with valid IMAP credentials can exhaust server memory up to the configured vsz_limit, crashing the IMAP process and disrupting mail service.
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today