{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-42006","assignerOrgId":"8ce71d90-2354-404b-a86e-bec2cc4e6981","state":"PUBLISHED","assignerShortName":"OX","dateReserved":"2026-04-23T11:15:21.199Z","datePublished":"2026-05-12T13:28:46.922Z","dateUpdated":"2026-06-30T12:08:45.461Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["core"],"product":"OX Dovecot Pro","vendor":"Open-Xchange GmbH","versions":[{"lessThanOrEqual":"3.0.5","status":"affected","version":"0","versionType":"semver"},{"lessThanOrEqual":"3.1.4","status":"affected","version":"0","versionType":"semver"},{"lessThanOrEqual":"2.4.3","status":"affected","version":"0","versionType":"semver"}]}],"descriptions":[{"lang":"en","value":"An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-400","description":"Uncontrolled Resource Consumption","lang":"en","type":"cwe"}]}],"providerMetadata":{"orgId":"8ce71d90-2354-404b-a86e-bec2cc4e6981","shortName":"OX","dateUpdated":"2026-05-12T13:39:06.099Z"},"references":[{"tags":["vendor-advisory"],"url":"https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json"}],"source":{"defect":"DOV-9138","discovery":"EXTERNAL"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-12T15:40:29.845540Z","id":"CVE-2026-42006","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-12T15:40:38.913Z"}},{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"}],"datePublic":"2026-05-12T13:28:46.922Z","descriptions":[{"lang":"en","value":"A flaw was found in Dovecot. A remote attacker can exploit this vulnerability by sending excessive open braces over the Internet Message Access Protocol (IMAP), leading to uncontrolled memory usage. This can cause the affected system to consume memory up to its configured limit, resulting in a Denial of Service (DoS)."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-770","description":"Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-42006"},{"name":"RHBZ#2476476","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2476476"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42006.json"}],"timeline":[{"lang":"en","time":"2026-05-12T14:02:01.841Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-12T13:28:46.922Z","value":"Made public."}],"title":"dovecot: Dovecot: Denial of Service via excessive IMAP bracing","workarounds":[{"lang":"en","value":"To mitigate this issue, administrators can configure the `vsz_limit` setting for the Dovecot IMAP process to a lower value. This limits the virtual memory size available to the IMAP process, preventing excessive memory consumption.\n\nExample configuration in `/etc/dovecot/conf.d/10-master.conf`:\n```\nservice imap {\n  vsz_limit = 256M\n}\n```\nAfter modifying the configuration, restart the Dovecot service for the changes to take effect.\n```bash\nsystemctl restart dovecot\n```\nSetting `vsz_limit` too low may impact legitimate IMAP operations. \n\n*Restarting the dovecot service will temporarily interrupt mail services."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:08:45.461Z"}}]}}