Description
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory.
Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via excessive memory allocation in managesieve protocol
Action: Apply Patch
AI Analysis

Impact

This vulnerability allows an attacker to send a specially crafted message before authenticating to the managesieve service, causing the server to allocate an excessive amount of memory. The result is a denial‑of‑service condition, either by exhausting system resources or by crashing the managesieve‑login process. The weakness exemplifies uncontrolled resource consumption (CWE‑400).

Affected Systems

The vulnerable product is Open‑Xchange GmbH’s OX Dovecot Pro. No specific version information is provided in the CNA data, so users should verify whether their deployment includes the impacted managesieve implementation.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. No EPSS data or KEV listing is available, and no public exploits are known. Nevertheless, an attacker only needs to send a crafted message over the network before authentication, making the threat vector remote and potentially reachable from any host with connectivity to the managesieve service.

Generated by OpenCVE AI on March 27, 2026 at 09:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the vendor‑supplied patch or updated version that addresses CVE‑2026‑27858
  • Restrict or firewall access to the managesieve protocol from untrusted networks
  • If a patch is not immediately available, consider disabling the managesieve service or enforcing strict access controls

Generated by OpenCVE AI on March 27, 2026 at 09:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Memory Allocation Denial of Service via Crafted Managesieve Message

Fri, 27 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-27T12:37:09.762Z

Reserved: 2026-02-24T08:46:09.374Z

Link: CVE-2026-27858

cve-icon Vulnrichment

Updated: 2026-03-27T12:37:04.235Z

cve-icon NVD

Status : Received

Published: 2026-03-27T09:16:20.073

Modified: 2026-03-27T09:16:20.073

Link: CVE-2026-27858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:45:43Z

Weaknesses