HIGH🇬🇧 English

CVE-2026-27858

CVSS 7.5v3.1pub. 2026-03-27upd. 2026-06-30

Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Dovecot

    APP
    Dovecot
    < 2.4.3
  • Open Xchange Dovecot

    APP
    Open-Xchange
    < 2.3.22.13.0.0 – 3.0.5 (bez)3.1.0 – 3.1.4 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2019-11500CRITICAL9.8ten sam produkt

In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can f...

CVE-2026-27851HIGH7.4ten sam produkt

When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly i...

CVE-2026-24031HIGH7.7ten sam produkt

Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerabil...

CVE-2025-59032HIGH7.5ten sam produkt

ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to cras...

CVE-2026-27856HIGH7.4ten sam produkt

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An atta...