CVE-2026-27857
Published: 27 March 2026
Summary
CVE-2026-27857 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Open-Xchange Dovecot. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation including installation of security patches, directly addressing the need to deploy the fixed version of Dovecot to eliminate the memory exhaustion vulnerability.
SC-5 implements denial-of-service protections at system entry points, directly mitigating the resource exhaustion attack via multiple crafted connections that exceed memory limits.
SC-6 protects system resource availability from unauthorized depletion, specifically countering the CVE's mechanism of allocating excessive memory through repeated crafted NOOP commands.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables resource exhaustion DoS via crafted IMAP command exploiting CWE-400 in public-facing Dovecot service, directly mapping to application/system exploitation for endpoint denial of service.
NVD Description
Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So…
more
attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.
Deeper analysisAI
CVE-2026-27857 is a denial-of-service vulnerability in Dovecot, stemming from uncontrolled resource consumption (CWE-400). It occurs when a specially crafted "NOOP (((...)))" command is sent with approximately 4000 pairs of opening and closing parentheses, resulting in about 1MB of extra memory usage per connection. Omitting the command's ending LF character allows this memory to remain allocated for longer periods, while longer commands may lead to client disconnection.
The vulnerability has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L), indicating network-accessible exploitation with low complexity that requires low privileges but no user interaction. An attacker, potentially from a single IP address, can establish multiple connections—such as 1000—to allocate around 1GB of memory. This is likely to exceed the VSZ limit, killing the Dovecot process and disrupting its other proxied connections, achieving a denial-of-service condition.
The Open-Xchange advisory (oxdc-adv-2026-0001) states that the only remediation is to install the fixed version of Dovecot, with no other mitigations available. No publicly available exploits are known.
Details
- CWE(s)