Description
An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.
Published: 2026-05-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an attacker to exploit excessive bracing in IMAP commands to cause uncontrolled memory consumption. The previous patch addressed only one direction of brace closing, leaving a path via open braces that bypasses the limit. An attacker can drive memory usage up to the configured limit, potentially exhausting system resources and disrupting service. The vulnerability is a classic resource exhaustion weakness (CWE‑400).

Affected Systems

The vulnerability affects OX Dovecot Pro from Open-Xchange GmbH. No specific affected version range is listed in the CNA data, so all installed instances of OX Dovecot Pro prior to the vendor’s fix should be considered vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity threat. Because the EPSS score is not available and the vulnerability is not listed in CISA KEV, it is not currently known to be actively exploited. The flaw can be triggered by sending IMAP commands with excessive bracing, which is feasible over any accessible IMAP server instance. An attacker can increase memory consumption up to the server’s configured limit, potentially leading to resource exhaustion and service disruption. The vulnerability was not found to have publicly available exploit code, so the primary risk comes from the possibility of repeated or targeted high‑volume IMAP traffic.

Generated by OpenCVE AI on May 12, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the vendor‑provided fixed version of OX Dovecot Pro
  • Configure the IMAP process vsz_limit to a lower value to constrain memory usage
  • Monitor system memory and IMAP traffic for signs of abnormal usage or repeated brace‑heavy commands

Generated by OpenCVE AI on May 12, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4617-1 dovecot security update
Debian DSA Debian DSA DSA-6313-1 dovecot security update
Ubuntu USN Ubuntu USN USN-8365-1 Dovecot vulnerabilities
History

Mon, 18 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Dovecot
Dovecot dovecot
Open-xchange dovecot
CPEs cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*
Vendors & Products Dovecot
Dovecot dovecot
Open-xchange dovecot

Tue, 12 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title Excessive Bracing in IMAP Causes Uncontrolled Memory Usage
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-xchange
Open-xchange ox Dovecot Pro
Vendors & Products Open-xchange
Open-xchange ox Dovecot Pro

Tue, 12 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Dovecot Dovecot
Open-xchange Dovecot Ox Dovecot Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-05-12T15:40:38.913Z

Reserved: 2026-04-23T11:15:21.199Z

Link: CVE-2026-42006

cve-icon Vulnrichment

Updated: 2026-05-12T15:40:33.391Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T14:17:04.703

Modified: 2026-05-18T17:22:04.743

Link: CVE-2026-42006

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T16:00:13Z

Weaknesses