Cyber Resilience

CVE-2026-27857

Medium

Published: 27 March 2026

Published
27 March 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0003 10.5th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27857 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Open-Xchange Dovecot. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-27857 is a denial-of-service vulnerability in Dovecot, stemming from uncontrolled resource consumption (CWE-400). It occurs when a specially crafted "NOOP (((...)))" command is sent with approximately 4000 pairs of opening and closing parentheses, resulting in about 1MB of extra memory usage per connection. Omitting the command's ending LF character allows this memory to remain allocated for longer periods, while longer commands may lead to client disconnection.

The vulnerability has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L), indicating network-accessible exploitation with low complexity that requires low privileges but no user interaction. An attacker, potentially from a single IP address, can establish multiple connections—such as 1000—to allocate around 1GB of memory. This is likely to exceed the VSZ limit, killing the Dovecot process and disrupting its other proxied connections, achieving a denial-of-service condition.

The Open-Xchange advisory (oxdc-adv-2026-0001) states that the only remediation is to install the fixed version of Dovecot, with no other mitigations available. No publicly available exploits are known.

EU & UK References

Vulnerability details

Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So…

more

attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables resource exhaustion DoS via crafted IMAP command exploiting CWE-400 in public-facing Dovecot service, directly mapping to application/system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27858Same product: Dovecot Dovecot
CVE-2025-59032Same product: Dovecot Dovecot
CVE-2025-59028Same product: Dovecot Dovecot
CVE-2026-27851Same product: Dovecot Dovecot
CVE-2024-56921Shared CWE-400
CVE-2026-33538Shared CWE-400
CVE-2026-0517Shared CWE-400
CVE-2026-6051Shared CWE-400
CVE-2026-21945Shared CWE-400
CVE-2026-33750Shared CWE-400

Affected Assets

dovecot
dovecot
≤ 2.4.3
open-xchange
dovecot
≤ 2.3.22.1 · 3.0.0 — 3.0.5 · 3.1.0 — 3.1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation including installation of security patches, directly addressing the need to deploy the fixed version of Dovecot to eliminate the memory exhaustion vulnerability.

prevent

SC-5 implements denial-of-service protections at system entry points, directly mitigating the resource exhaustion attack via multiple crafted connections that exceed memory limits.

prevent

SC-6 protects system resource availability from unauthorized depletion, specifically countering the CVE's mechanism of allocating excessive memory through repeated crafted NOOP commands.

References