PT-2026-28366 · Dovecot+3 · Dovecot+3

Ilyar

Published

2026-01-01

Updated

2026-05-19

CVE-2026-27858

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Dovecot versions prior to 2.4.3

Description An attacker can send a crafted message before authentication, leading to excessive memory allocation within the managesieve component. This can cause the managesieve-login process to crash, potentially resulting in a denial-of-service condition. No publicly available exploits are currently known.

Recommendations Update to version 2.4.3 or later. Protect access to the managesieve protocol.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2026:13498

ALSA-2026:13830

ALSA-2026:13857

ALSA-2026:19149

ALSA-2026:19364

CVE-2026-27858

OESA-2026-1849

OPENSUSE-SU-2026:10442-1

OPENSUSE-SU-2026:20554-1

RHSA-2026:13498

RHSA-2026:13830

RHSA-2026:13857

SUSE-SU-2026:21208-1

USN-8136-1

Affected Products

Dovecot

Linuxmint

Rocky Linux

Ubuntu

PT-2026-28366 · Dovecot+3 · Dovecot+3

CVE-2026-27858

Weakness Enumeration

Related Identifiers

Affected Products

References · 80