{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27857", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2026-02-24T08:46:09.373Z", "datePublished": "2026-03-27T08:10:20.761Z", "dateUpdated": "2026-03-27T12:39:48.150Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["core"], "product": "OX Dovecot Pro", "vendor": "Open-Xchange GmbH", "versions": [{"lessThanOrEqual": "2.3.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Sending \"NOOP (((...)))\" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Uncontrolled Resource Consumption", "lang": "en", "type": "cwe"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-03-27T12:33:29.627Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"}], "source": {"defect": "DOV-8816", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T12:39:00.311649Z", "id": "CVE-2026-27857", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T12:39:48.150Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27857", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T12:39:00.311649Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T12:39:41.889Z"}}], "cna": {"source": {"defect": "DOV-8816", "discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Open-Xchange GmbH", "modules": ["core"], "product": "OX Dovecot Pro", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.3.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Sending \"NOOP (((...)))\" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-400", "description": "Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-03-27T12:33:29.627Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27857", "state": "PUBLISHED", "dateUpdated": "2026-03-27T12:39:48.150Z", "dateReserved": "2026-02-24T08:46:09.373Z", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "datePublished": "2026-03-27T08:10:20.761Z", "assignerShortName": "OX"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Sending \"NOOP (((...)))\" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known."}], "id": "CVE-2026-27857", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2026-03-27T09:16:19.917", "references": [{"source": "security@open-xchange.com", "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@open-xchange.com", "type": "Secondary"}]}

{"bugzilla": {"description": "dovecot: denial of service via specially crafted NOOP command", "id": "2452179", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452179"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["Sending \"NOOP (((...)))\" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.", "A flaw was found in dovecot. An unauthenticated and remote attacker can send a specially crafted \"NOOP\" command containing numerous open and close parentheses without a command-ending line feed, causing the server to allocate an excessive amount of memory, resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2026-27857", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-27T08:10:20Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27857\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27857\nhttps://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"], "statement": "This flaw allows an unauthenticated and remote attacker to cause a denial of service via a specially crafted \"NOOP\" command. Due to this reason, this vulnerability has been rated with an important severity.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.0]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "OX Dovecot Pro", "source": "cna", "vendor": "Open-Xchange GmbH"}, "product": "ox_dovecot_pro", "vendor": "open-xchange"}], "analysis": {"en": {"generated_at": "2026-03-28T13:29:42.626183+00:00", "value": {"mitigation_remediation": ["Apply vendor patch for OX Dovecot Pro", "Verify that the updated version is deployed on all affected servers", "Continue to monitor for any related advisories or exploit activity"], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Open-Xchange GmbH\u2019s OX Dovecot Pro product. No version specifics are provided, so all releases of the affected product are considered at risk until a patched version is applied.", "description_and_impact": "A specially crafted NOOP command containing thousands of parentheses can cause the Dovecot server to allocate approximately one megabyte of memory per connection. When an attacker sends multiple such commands without terminating the line, the memory allocated persists, potentially exhausting the server\u2019s virtual address space. The result is the termination of the server process and disruption of all other proxied connections, constituting a denial-of-service condition.", "risk_and_exploitability": "The severity indicated by the CVSS score of 4.3 reflects moderate risk, while the EPSS score of less than 1\u202f% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only network access to the Dovecot service and can be performed from a single IP address. By opening many connections and sending repeatedly constructed NOOP commands, an attacker can consume significant memory resources and trigger a crash, thereby lowering availability of the mail server."}}}}, "created": "2026-03-27T15:47:10.148345+00:00", "updated": "2026-03-30T07:02:13.352296+00:00", "vendors": ["open-xchange", "open-xchange$PRODUCT$ox_dovecot_pro"]}