CVE-2026-27858
Received Received - Intake
Memory Exhaustion Vulnerability in managesieve Causes Service Crash

Publication date: 2026-03-27

Last updated on: 2026-04-30

Assigner: Open-Xchange

Description
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27858
EUVD
EUVD-2026-16569
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
dovecot dovecot to 2.4.3 (exc)
open-xchange dovecot From 3.0.0 (inc) to 3.0.5 (exc)
open-xchange dovecot From 3.1.0 (inc) to 3.1.4 (exc)
open-xchange dovecot to 2.3.22.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves an attacker sending a specially crafted message to the managesieve service before authentication. This causes managesieve to allocate a large amount of memory.

As a result, the managesieve-login process can be repeatedly crashed, making the managesieve service unavailable.

Impact Analysis

The main impact of this vulnerability is a denial of service (DoS) condition.

  • Attackers can repeatedly crash the managesieve-login process, causing the service to become unavailable.
  • This can disrupt email filtering or management services that rely on managesieve.
Mitigation Strategies

To mitigate this vulnerability, you should protect access to the managesieve protocol or install a fixed version of the software.

Compliance Impact

The vulnerability allows an attacker to cause a denial of service by crashing the managesieve-login process, leading to unavailability of the managesieve service.

There is no indication from the provided information that this vulnerability impacts confidentiality or integrity of data, only availability.

Since common standards and regulations like GDPR and HIPAA emphasize the availability, integrity, and confidentiality of data, this vulnerability primarily affects the availability aspect.

Organizations relying on managesieve for email management should consider that denial of service could impact compliance related to service availability requirements.

No direct information is provided about specific compliance impacts or mitigation steps related to these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart