CVE-2026-27857

EUVD-2026-16567

27.03.2026, 09:16

Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
dovecot	dovecot	𝑥 < 2.4.3
open-xchange	dovecot	𝑥 < 2.3.22.1
open-xchange	dovecot	3.0.0 ≤ 𝑥 < 3.0.5
open-xchange	dovecot	3.1.0 ≤ 𝑥 < 3.1.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

dovecot

bookworm	vulnerable
bookworm (security)	1:2.3.19.1+dfsg1-2.1+deb12u4 fixed
bullseye	vulnerable
bullseye (security)	1:2.3.13+dfsg1-2+deb11u3 fixed
forky	1:2.4.3+dfsg1-2 fixed
sid	1:2.4.3+dfsg1-2 fixed
trixie	vulnerable
trixie (security)	1:2.4.1+dfsg1-6+deb13u4 fixed

Ubuntu Releases

Ubuntu Product

Codename

dovecot

bionic	not-affected
focal	needed
jammy	Fixed 1:2.3.16+dfsg1-3ubuntu2.7 released
noble	Fixed 1:2.3.21+dfsg1-2ubuntu6.3 released
questing	Fixed 1:2.4.1+dfsg1-5ubuntu4.1 released
resolute	not-affected
trusty	not-affected
xenial	not-affected

openSUSE / SLES Releases

openSUSE Product

Release

dovecot22

suse enterprise server 12 SP3	2.2.31-19.32.1 fixed
suse enterprise server 12 SP5	2.2.31-19.32.1 fixed

dovecot22-backend-mysql

suse enterprise server 12 SP3	2.2.31-19.32.1 fixed
suse enterprise server 12 SP5	2.2.31-19.32.1 fixed

dovecot22-backend-pgsql

suse enterprise server 12 SP3	2.2.31-19.32.1 fixed
suse enterprise server 12 SP5	2.2.31-19.32.1 fixed

dovecot22-backend-sqlite

suse enterprise server 12 SP3	2.2.31-19.32.1 fixed
suse enterprise server 12 SP5	2.2.31-19.32.1 fixed

dovecot22-devel

suse enterprise server 12 SP5

2.2.31-19.32.1

fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

dovecot

RHEL 8	1:2.3.16-7.el8_10 fixed
RHEL 9	1:2.3.16-15.el9_7.1 fixed

dovecot-devel

RHEL 8	1:2.3.16-7.el8_10 fixed
RHEL 9	1:2.3.16-15.el9_7.1 fixed

dovecot-mysql

RHEL 8	1:2.3.16-7.el8_10 fixed
RHEL 9	1:2.3.16-15.el9_7.1 fixed

dovecot-pgsql

RHEL 8	1:2.3.16-7.el8_10 fixed
RHEL 9	1:2.3.16-15.el9_7.1 fixed

dovecot-pigeonhole

RHEL 8	1:2.3.16-7.el8_10 fixed
RHEL 9	1:2.3.16-15.el9_7.1 fixed

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Vulnerability Media Exposure

[GERMAN] Dovecot: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Dovecot ausnutzen, um SQL-Injection-Angriffe durchzuführen, die Authentifizierung zu umgehen, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand herbeizuführen.
Published: 2026-03-26T23:00:00+00:00

References

https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json