Skip to main content

OX Dovecot Pro CVE-2026-42006

| EUVDEUVD-2026-29473 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-12 OX GHSA-h665-fh45-xq6r
4.3
CVSS 3.1 · Vendor: OX
Share

Severity by source

Vendor (OX) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (OX).

CVSS VectorVendor: OX

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 14:16 vuln.today
CVE Published
May 12, 2026 - 13:28 nvd
MEDIUM 4.3

DescriptionCVE.org

An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.

AnalysisAI

OX Dovecot Pro allows authenticated attackers to cause uncontrolled memory consumption and denial of service via excessive open braces in IMAP commands, bypassing the incomplete fix from CVE-2026-27857 which only blocked closing braces. An attacker with valid IMAP credentials can exhaust server memory up to the configured vsz_limit, crashing the IMAP process and disrupting mail service.

Technical ContextAI

The vulnerability exists in the IMAP protocol handler within OX Dovecot Pro. IMAP uses parentheses and braces for command structure and literal syntax. The original CVE-2026-27857 patched excessive closing braces to prevent unbounded memory allocation, but the fix was incomplete-it failed to account for open braces used in the same attack pattern. The underlying root cause is CWE-400 (Uncontrolled Resource Consumption), where insufficient input validation on IMAP command parsing allows an attacker to trigger memory allocation without proper bounds checking. The IMAP protocol permits nested structures and literals, which are parsed into memory; excessive nesting via open braces forces the parser to allocate memory for each level, consuming RAM until the process hits the configured virtual memory limit (vsz_limit) and is terminated by the kernel.

RemediationAI

Upgrade OX Dovecot Pro to the patched version specified in the vendor advisory https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json. As an interim mitigation pending patching, configure the vsz_limit parameter for the IMAP process to a low value (e.g., 256 MB or lower depending on expected mail size), which will terminate excessively memory-consuming IMAP sessions before they exhaust system RAM. This workaround sacrifices server responsiveness under load and may prematurely kill legitimate large-message operations, so it is suitable only for temporary protection. Additionally, restrict IMAP access via firewall or network segmentation to trusted networks only, reducing the population of authenticated users who can exploit this vulnerability. Monitor IMAP process memory consumption (vsz and rss metrics) for anomalies indicating active exploitation attempts.

CVE-2026-27851 CRITICAL
9.1 May 12

Authentication-layer injection in OX Dovecot Pro (versions up to and including 2.4.3 and 3.1.4) arises from a flaw in th

CVE-2026-24031 HIGH
8.2 Mar 27

Authentication bypass and user enumeration in OX Dovecot Pro (versions up to and including 3.1.0 and the 2.4.x line up t

CVE-2025-59032 HIGH
7.5 Mar 27

OX Dovecot Pro ManageSieve service crashes when processing AUTHENTICATE commands with SASL initial responses using liter

CVE-2026-27858 HIGH
7.5 Mar 27

OX Dovecot Pro managesieve-login process crashes repeatedly due to memory exhaustion triggered by unauthenticated attack

CVE-2026-27857 HIGH
7.5 Mar 27

Remote memory-exhaustion denial of service in OX Dovecot Pro (versions up to and including 2.3.0) lets an unauthenticate

CVE-2026-27856 MEDIUM
5.9 Mar 27

OX Dovecot Pro's doveadm HTTP service is vulnerable to timing oracle attacks during credential verification, allowing re

CVE-2025-59028 MEDIUM
5.3 Mar 27

OX Dovecot Pro authentication server becomes disconnected when processing invalid base64 SASL data, causing all concurre

CVE-2026-0394 MEDIUM
5.3 Mar 27

Path traversal in OX Dovecot Pro allows unauthenticated remote attackers to read arbitrary files such as /etc/passwd whe

CVE-2026-27859 MEDIUM
5.3 Mar 27

OX Dovecot Pro mail delivery processes consume excessive CPU resources when processing mail messages containing abnormal

CVE-2025-59031 MEDIUM
4.3 Mar 27

Dovecot's text conversion script for OOXML attachments unsafely processes zip-style files, allowing authenticated attack

CVE-2026-40020 LOW
3.1 May 12

OX Dovecot Pro is vulnerable to IMAP SETACL command injection that allows authenticated users to bypass the imap_acl_all

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-42006 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy