PT-2026-28365 · Dovecot+3 · Dovecot+3

Whisperer

Publicado

2026-01-01

Atualizado

2026-05-19

CVE-2026-27857

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Dovecot versions prior to 2.4.3

Description Sending a "NOOP (((...)))" command with a large number of parentheses (e.g., 4000 open and close) can lead to excessive memory consumption, approximately 1MB per command. Prolonged use of this technique, by not sending the command ending LF, can result in significant memory allocation, potentially reaching the VSZ limit and causing the process to terminate, impacting other proxied connections. An attacker could establish numerous connections, potentially from a single IP address, to allocate a substantial amount of memory (e.g., 1GB) and disrupt the service.

Recommendations Update to version 2.4.3 or later.

Correção

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-400

Identificadores relacionados

ALSA-2026:13498

ALSA-2026:13830

ALSA-2026:13857

ALSA-2026:19149

ALSA-2026:19364

CVE-2026-27857

OESA-2026-1849

OPENSUSE-SU-2026:10442-1

OPENSUSE-SU-2026:20554-1

RHSA-2026:13498

RHSA-2026:13830

RHSA-2026:13857

SUSE-SU-2026:21208-1

USN-8136-1

Produtos afetados

Dovecot

Linuxmint

Rocky Linux

Ubuntu

PT-2026-28365 · Dovecot+3 · Dovecot+3

CVE-2026-27857

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 82