CVE-2026-42006

EUVD-2026-29473

12.05.2026, 14:17

An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 22%

Affected Products (NVD)

Vendor	Product	Version
dovecot	dovecot	𝑥 < 2.4.4
open-xchange	dovecot	𝑥 < 3.1.5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

dovecot

bookworm	vulnerable
bookworm (security)	1:2.3.19.1+dfsg1-2.1+deb12u6 fixed
bullseye	vulnerable
bullseye (security)	1:2.3.13+dfsg1-2+deb11u4 fixed
forky	1:2.4.4+dfsg1-1 fixed
sid	1:2.4.4+dfsg1-1 fixed
trixie	vulnerable
trixie (security)	1:2.4.1+dfsg1-6+deb13u6 fixed

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Vulnerability Media Exposure

[GERMAN] OX Dovecot Pro: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in OX Dovecot Pro ausnutzen, um SQL-Injection-Angriffe durchzuführen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren oder offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Published: 2026-05-12T22:00:00+00:00

References

https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json