1. Home
  2. CVE Database
  3. CVE-2026-42006
MEDIUM · 4.3

CVE-2026-42006

An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left ope...

Vulnerability Description

An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW

Affected Products

VendorProductVersions
DovecotDovecot< 2.4.4
Open-XchangeDovecot< 3.1.5

Related Weaknesses (CWE)

CWE-400

References

FAQ

What is CVE-2026-42006?

CVE-2026-42006 is a vulnerability with a CVSS score of 4.3 (MEDIUM). An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left ope...

How severe is CVE-2026-42006?

CVE-2026-42006 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-42006?

Check the references section above for vendor advisories and patch information. Affected products include: Dovecot Dovecot, Open-Xchange Dovecot.