Memory Consumption Vulnerability in Dovecot by Open-Xchange
CVE-2026-42006

4.3MEDIUM

Key Information:

Vendor: Open-xchange Gmbh
Status: Ox Dovecot Pro
Vendor: CVE Published:; 12 May 2026

🔔 Create Open-xchange Gmbh Vulnerability Alert

What is CVE-2026-42006?

An uncontrolled memory consumption vulnerability exists within Dovecot due to excessive bracing in IMAP operations. Although a previous fix attempted to address this issue by closing braces, it was insufficient as it only mitigated one method of exploitation. An attacker can exploit open braces to bypass the limit and force memory usage to reach the configured memory threshold. To mitigate this vulnerability, users should upgrade to the fixed version or adjust the vsz_limit for the IMAP process to a lower value. At present, there are no known publicly available exploits for this vulnerability.

Affected Version(s)

OX Dovecot Pro 0 <= 3.0.5

OX Dovecot Pro 0 <= 3.1.4

OX Dovecot Pro 0 <= 2.4.3

References

https://documentation.open-xchange.com/dovecot/security/a...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 23, 2026

CVE-2026-42006 Data

JSON