CVE-2026-27857

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Dovecot versions prior to 2.4.3

Description Sending a "NOOP (((...)))" command with a large number of parentheses (e.g., 4000 open and close) can lead to excessive memory consumption, approximately 1MB per command. Prolonged use of this technique, by not sending the command ending LF, can result in significant memory allocation, potentially reaching the VSZ limit and causing the process to terminate, impacting other proxied connections. An attacker could establish numerous connections, potentially from a single IP address, to allocate a substantial amount of memory (e.g., 1GB) and disrupt the service.

Recommendations Update to version 2.4.3 or later.

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2026:13498

ALSA-2026:13830

ALSA-2026:13857

ALSA-2026:19149

ALSA-2026:19364

CVE-2026-27857

OESA-2026-1849

OPENSUSE-SU-2026:10442-1

OPENSUSE-SU-2026:20554-1

RHSA-2026:13498

RHSA-2026:13830

RHSA-2026:13857

SUSE-SU-2026:21208-1

USN-8136-1

Affected Products

Dovecot

Linuxmint

Rocky Linux

Ubuntu

CVE-2026-27857

Weakness Enumeration

Related Identifiers

Affected Products

References · 82