Description
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory.
Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Apply Patch
AI Analysis

Impact

A crafted message sent before authentication causes the managesieve component of OX Dovecot Pro to allocate excessive memory, leading the process to crash. The vulnerability is a classic denial‑of‑service flaw that results in the managesieve‑login service becoming unavailable, preventing legitimate users from accessing mail services while the service is unstable. The weakness is identified as improper resource management and memory allocation errors.

Affected Systems

The affected product is Open‑Xchange GmbH’s OX Dovecot Pro, which incorporates the Dovecot mail server’s managesieve support. No specific version numbers are supplied in the advisory; users should verify that their installation includes the managesieve component and inspect the release notes for the applicable version.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation, yet the flaw remains actionable. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit it by sending a specially crafted managesieve request over the network before authentication. No publicly available exploits are known, but the operation is straightforward for an attacker who can reach the managesieve port.

Generated by OpenCVE AI on March 28, 2026 at 13:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the fixed version of OX Dovecot Pro as soon as it is released by the vendor
  • Restrict access to the managesieve protocol for untrusted clients or disable it entirely until a patch is applied
  • Apply network segmentation or firewall rules to limit exposure of the managesieve service to trusted networks
  • Monitor the managesieve service for repeated crashes and configure resource limits if possible

Generated by OpenCVE AI on March 28, 2026 at 13:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6197-1 dovecot security update
Ubuntu USN Ubuntu USN USN-8136-1 Dovecot vulnerabilities
History

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-xchange
Open-xchange ox Dovecot Pro
Vendors & Products Open-xchange
Open-xchange ox Dovecot Pro

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Memory Allocation Denial of Service via Crafted Managesieve Message dovecot: denial of service via crafted message before authentication
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Memory Allocation Denial of Service via Crafted Managesieve Message

Fri, 27 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Open-xchange Ox Dovecot Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-27T12:37:09.762Z

Reserved: 2026-02-24T08:46:09.374Z

Link: CVE-2026-27858

cve-icon Vulnrichment

Updated: 2026-03-27T12:37:04.235Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T09:16:20.073

Modified: 2026-03-30T13:26:29.793

Link: CVE-2026-27858

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-27T08:10:21Z

Links: CVE-2026-27858 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:59:46Z

Weaknesses