Description
A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail delivery process to consume large amounts of CPU time. Use MTA capabilities to limit RFC 2231 MIME parameters in mail messages, or upgrade to fixed version where the processing is limited. No publicly available exploits are known.
Published: 2026-03-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A mail message that contains an excessive number of RFC 2231 MIME parameters causes the LMTP component of the mail server to consume an abnormal amount of CPU time. The result is a denial of service scenario in which the delivery process is exhausted and can no longer serve legitimate mail traffic. The underlying weakness is an uncontrolled resource consumption scenario, identified with CWE‑400 and CWE‑770.

Affected Systems

The vulnerability affects the OX Dovecot Pro mail server from Open‑Xchange GmbH. No specific version numbers of the vulnerable build are listed in the advisory. Users of any among these deployments are potentially impacted until a patch or configuration fix is applied.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not catalogued in CISA's KEV list, and no public exploits have been published. Because the vulnerability requires sending a specially crafted message, an attacker would need to successfully inject mail into the system or have some way to trigger the LMTP processing path. The impact is limited to resource exhaustion rather than confidentiality or integrity compromise.

Generated by OpenCVE AI on March 28, 2026 at 13:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure the MTA to limit the number of RFC 2231 MIME parameters allowed in incoming messages
  • Upgrade to a fixed version of OX Dovecot Pro once it becomes available

Generated by OpenCVE AI on March 28, 2026 at 13:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6197-1 dovecot security update
Ubuntu USN Ubuntu USN USN-8136-1 Dovecot vulnerabilities
History

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-xchange
Open-xchange ox Dovecot Pro
Vendors & Products Open-xchange
Open-xchange ox Dovecot Pro

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Excessive RFC 2231 MIME Parameters Cause CPU Exhaustion in Open‑Xchange Dovecot dovecot: Dovecot: Denial of Service via excessive RFC 2231 MIME parameters
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Excessive RFC 2231 MIME Parameters Cause CPU Exhaustion in Open‑Xchange Dovecot

Fri, 27 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail delivery process to consume large amounts of CPU time. Use MTA capabilities to limit RFC 2231 MIME parameters in mail messages, or upgrade to fixed version where the processing is limited. No publicly available exploits are known.
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Open-xchange Ox Dovecot Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-27T12:35:14.776Z

Reserved: 2026-02-24T08:46:09.374Z

Link: CVE-2026-27859

cve-icon Vulnrichment

Updated: 2026-03-27T12:34:38.422Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T09:16:20.223

Modified: 2026-03-30T13:26:29.793

Link: CVE-2026-27859

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-27T08:10:22Z

Links: CVE-2026-27859 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:12Z

Weaknesses