{ "threat_severity" : "Important", "public_date" : "2026-03-27T08:10:21Z", "bugzilla" : { "description" : "dovecot: denial of service via crafted message before authentication", "id" : "2452175", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2452175" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory.\nAttacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.", "A flaw was found in dovecot. An unauthenticated and remote attacker can send a crafted message that causes managesieve to allocate an excessive amount of memory, forcing managesieve-login to be unavailable by repeatedly crashing the process, resulting in a denial of service." ], "statement" : "This flaw allows an unauthenticated and remote attacker to cause a denial of service via a specially crafted message. Due to this reason, this vulnerability has been rated with an important severity.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13498", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "dovecot-1:2.3.21-16.el10_1.1" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19149", "cpe" : "cpe:/o:redhat:enterprise_linux:10.2", "package" : "dovecot-1:2.3.21-19.el10_2" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17602", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "dovecot-1:2.3.21-16.el10_0.1" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13830", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "dovecot-1:2.3.16-7.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19455", "cpe" : "cpe:/a:redhat:rhel_aus:8.4", "package" : "dovecot-1:2.3.8-9.el8_4.1" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19455", "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4", "package" : "dovecot-1:2.3.8-9.el8_4.1" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19453", "cpe" : "cpe:/a:redhat:rhel_aus:8.6", "package" : "dovecot-1:2.3.16-2.el8_6.1" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19453", "cpe" : "cpe:/a:redhat:rhel_tus:8.6", "package" : "dovecot-1:2.3.16-2.el8_6.1" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19453", "cpe" : "cpe:/a:redhat:rhel_e4s:8.6", "package" : "dovecot-1:2.3.16-2.el8_6.1" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2026-05-18T00:00:00Z", "advisory" : "RHSA-2026:18053", "cpe" : "cpe:/a:redhat:rhel_tus:8.8", "package" : "dovecot-1:2.3.16-3.el8_8.1" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2026-05-18T00:00:00Z", "advisory" : "RHSA-2026:18053", "cpe" : "cpe:/a:redhat:rhel_e4s:8.8", "package" : "dovecot-1:2.3.16-3.el8_8.1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13857", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "dovecot-1:2.3.16-15.el9_7.1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19364", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "dovecot-1:2.3.16-18.el9_8" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17630", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "dovecot-1:2.3.16-3.el9_0.1" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17628", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "dovecot-1:2.3.16-8.el9_2.2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17625", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "dovecot-1:2.3.16-11.el9_4.2" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17626", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "dovecot-1:2.3.16-15.el9_6.1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Will not fix", "package_name" : "dovecot", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "dovecot", "cpe" : "cpe:/o:redhat:enterprise_linux:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-27858\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27858\nhttps://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json" ], "name" : "CVE-2026-27858", "mitigation" : { "value" : "To mitigate this vulnerability, protect access to the managesieve protocol by configuring firewall rules to restrict access to the managesieve port and only allow connections from trusted IP addresses or networks.", "lang" : "en:us" }, "csaw" : false }