Description
Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.
Published: 2026-03-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A specially crafted NOOP command containing thousands of parentheses can cause the Dovecot server to allocate approximately one megabyte of memory per connection. When an attacker sends multiple such commands without terminating the line, the memory allocated persists, potentially exhausting the server’s virtual address space. The result is the termination of the server process and disruption of all other proxied connections, constituting a denial-of-service condition.

Affected Systems

The vulnerability affects Open-Xchange GmbH’s OX Dovecot Pro product. No version specifics are provided, so all releases of the affected product are considered at risk until a patched version is applied.

Risk and Exploitability

The severity indicated by the CVSS score of 4.3 reflects moderate risk, while the EPSS score of less than 1 % suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only network access to the Dovecot service and can be performed from a single IP address. By opening many connections and sending repeatedly constructed NOOP commands, an attacker can consume significant memory resources and trigger a crash, thereby lowering availability of the mail server.

Generated by OpenCVE AI on March 28, 2026 at 13:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch for OX Dovecot Pro
  • Verify that the updated version is deployed on all affected servers
  • Continue to monitor for any related advisories or exploit activity

Generated by OpenCVE AI on March 28, 2026 at 13:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6197-1 dovecot security update
Ubuntu USN Ubuntu USN USN-8136-1 Dovecot vulnerabilities
History

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-xchange
Open-xchange ox Dovecot Pro
Vendors & Products Open-xchange
Open-xchange ox Dovecot Pro

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Unbounded NOOP Memory Allocation in OX Dovecot Pro dovecot: denial of service via specially crafted NOOP command
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Unbounded NOOP Memory Allocation in OX Dovecot Pro

Fri, 27 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Open-xchange Ox Dovecot Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-27T12:39:48.150Z

Reserved: 2026-02-24T08:46:09.373Z

Link: CVE-2026-27857

cve-icon Vulnrichment

Updated: 2026-03-27T12:39:41.889Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T09:16:19.917

Modified: 2026-03-30T13:26:29.793

Link: CVE-2026-27857

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-27T08:10:20Z

Links: CVE-2026-27857 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:13Z

Weaknesses