CVE-2026-27857

EUVD-2026-16567

27.03.2026, 09:16

Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 30%

Affected Products (NVD)

Vendor	Product	Version
dovecot	dovecot	𝑥 < 2.4.3
open-xchange	dovecot	𝑥 < 2.3.22.1
open-xchange	dovecot	3.0.0 ≤ 𝑥 < 3.0.5
open-xchange	dovecot	3.1.0 ≤ 𝑥 < 3.1.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

dovecot

bookworm	1:2.3.19.1+dfsg1-2.1+deb12u5 fixed
bookworm (security)	1:2.3.19.1+dfsg1-2.1+deb12u6 fixed
bullseye	vulnerable
bullseye (security)	1:2.3.13+dfsg1-2+deb11u4 fixed
forky	1:2.4.4+dfsg1-1 fixed
sid	1:2.4.4+dfsg1-1 fixed
trixie	1:2.4.1+dfsg1-6+deb13u5 fixed
trixie (security)	1:2.4.1+dfsg1-6+deb13u6 fixed

Ubuntu Releases

Ubuntu Product

Codename

dovecot

bionic	not-affected
focal	needed
jammy	Fixed 1:2.3.16+dfsg1-3ubuntu2.7 released
noble	Fixed 1:2.3.21+dfsg1-2ubuntu6.3 released
questing	Fixed 1:2.4.1+dfsg1-5ubuntu4.1 released
resolute	not-affected
trusty	not-affected
xenial	not-affected

openSUSE / SLES Releases

openSUSE Product

Release

dovecot22

suse enterprise server 12 SP3	2.2.31-19.32.1 fixed
suse enterprise server 12 SP5	2.2.31-19.32.1 fixed

dovecot22-backend-mysql

suse enterprise server 12 SP3	2.2.31-19.32.1 fixed
suse enterprise server 12 SP5	2.2.31-19.32.1 fixed

dovecot22-backend-pgsql

suse enterprise server 12 SP3	2.2.31-19.32.1 fixed
suse enterprise server 12 SP5	2.2.31-19.32.1 fixed

dovecot22-backend-sqlite

suse enterprise server 12 SP3	2.2.31-19.32.1 fixed
suse enterprise server 12 SP5	2.2.31-19.32.1 fixed

dovecot22-devel

suse enterprise server 12 SP5

2.2.31-19.32.1

fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

dovecot

RHEL 8	1:2.3.16-7.el8_10 fixed
RHEL 8.4 AUS	1:2.3.8-9.el8_4.1 fixed
RHEL 8.6 AUS	1:2.3.16-2.el8_6.1 fixed
RHEL 8.6 E4S	1:2.3.16-2.el8_6.1 fixed
RHEL 8.6 TUS	1:2.3.16-2.el8_6.1 fixed
RHEL 8.8 E4S	1:2.3.16-3.el8_8.1 fixed
RHEL 8.8 TUS	1:2.3.16-3.el8_8.1 fixed
RHEL 9	1:2.3.16-18.el9_8 fixed

dovecot-devel

RHEL 8	1:2.3.16-7.el8_10 fixed
RHEL 9	1:2.3.16-18.el9_8 fixed

dovecot-mysql

RHEL 8	1:2.3.16-7.el8_10 fixed
RHEL 8.4 AUS	1:2.3.8-9.el8_4.1 fixed
RHEL 8.6 AUS	1:2.3.16-2.el8_6.1 fixed
RHEL 8.6 E4S	1:2.3.16-2.el8_6.1 fixed
RHEL 8.6 TUS	1:2.3.16-2.el8_6.1 fixed
RHEL 8.8 E4S	1:2.3.16-3.el8_8.1 fixed
RHEL 8.8 TUS	1:2.3.16-3.el8_8.1 fixed
RHEL 9	1:2.3.16-18.el9_8 fixed

dovecot-pgsql

RHEL 8	1:2.3.16-7.el8_10 fixed
RHEL 8.4 AUS	1:2.3.8-9.el8_4.1 fixed
RHEL 8.6 AUS	1:2.3.16-2.el8_6.1 fixed
RHEL 8.6 E4S	1:2.3.16-2.el8_6.1 fixed
RHEL 8.6 TUS	1:2.3.16-2.el8_6.1 fixed
RHEL 8.8 E4S	1:2.3.16-3.el8_8.1 fixed
RHEL 8.8 TUS	1:2.3.16-3.el8_8.1 fixed
RHEL 9	1:2.3.16-18.el9_8 fixed

dovecot-pigeonhole

RHEL 8	1:2.3.16-7.el8_10 fixed
RHEL 8.4 AUS	1:2.3.8-9.el8_4.1 fixed
RHEL 8.6 AUS	1:2.3.16-2.el8_6.1 fixed
RHEL 8.6 E4S	1:2.3.16-2.el8_6.1 fixed
RHEL 8.6 TUS	1:2.3.16-2.el8_6.1 fixed
RHEL 8.8 E4S	1:2.3.16-3.el8_8.1 fixed
RHEL 8.8 TUS	1:2.3.16-3.el8_8.1 fixed
RHEL 9	1:2.3.16-18.el9_8 fixed

Amazon Linux Releases

Amazon Package

Release

dovecot

Amazon Linux 2	1:2.2.36-6.amzn2.1.3 fixed
Amazon Linux 2023	1:2.3.20-1.amzn2023.0.3 fixed

dovecot-debuginfo

Amazon Linux 2	1:2.2.36-6.amzn2.1.3 fixed
Amazon Linux 2023	1:2.3.20-1.amzn2023.0.3 fixed

dovecot-debugsource

Amazon Linux 2023

1:2.3.20-1.amzn2023.0.3

fixed

dovecot-devel

Amazon Linux 2	1:2.2.36-6.amzn2.1.3 fixed
Amazon Linux 2023	1:2.3.20-1.amzn2023.0.3 fixed

dovecot-mysql

Amazon Linux 2	1:2.2.36-6.amzn2.1.3 fixed
Amazon Linux 2023	1:2.3.20-1.amzn2023.0.3 fixed

dovecot-mysql-debuginfo

Amazon Linux 2023

1:2.3.20-1.amzn2023.0.3

fixed

dovecot-pgsql

Amazon Linux 2	1:2.2.36-6.amzn2.1.3 fixed
Amazon Linux 2023	1:2.3.20-1.amzn2023.0.3 fixed

dovecot-pgsql-debuginfo

Amazon Linux 2023

1:2.3.20-1.amzn2023.0.3

fixed

dovecot-pigeonhole

Amazon Linux 2	1:2.2.36-6.amzn2.1.3 fixed
Amazon Linux 2023	1:2.3.20-1.amzn2023.0.3 fixed

dovecot-pigeonhole-debuginfo

Amazon Linux 2023

1:2.3.20-1.amzn2023.0.3

fixed

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json