CVE-2026-42006 Open-Xchange GmbH CVE debrief

Who should care

Organizations running Dovecot IMAP servers, particularly those with external IMAP access enabled and those who applied the CVE-2026-27857 fix without updating to the complete remediation in CVE-2026-42006

Technical summary

The vulnerability stems from insufficient input validation on IMAP command parsing. The fix for CVE-2026-27857 added limits on closing brace characters but failed to apply equivalent restrictions to opening braces. An attacker with valid IMAP credentials can send commands with nested or excessive opening braces, causing the IMAP process to allocate memory without bound until reaching vsz_limit. The attack requires network access to the IMAP service and valid authentication, with no user interaction needed. The CVSS 3.1 score of 4.3 reflects the low availability impact and requirement for authenticated access.

Defensive priority

medium

Recommended defensive actions

• Upgrade Dovecot to version 2.4.4 or later, or Dovecot Pro to version 3.1.5 or later
• As interim mitigation, configure vsz_limit for imap processes to a low value to constrain memory consumption
• Monitor IMAP process memory usage for anomalous spikes that may indicate exploitation attempts
• Review authentication logs for suspicious IMAP session patterns involving malformed command structures

Evidence notes

CVE description confirms incomplete fix for CVE-2026-27857; NVD CPE data specifies affected version ranges; CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L supports network-based attack with low privileges required

Official resources