Open-Xchange Dovecot Improper Input Validation Vulnerability Leading to Memory Exhaustion Denial-of-Service

A vulnerability exists in Open-Xchange Dovecot Pro and Community Edition versions 2.4.0 prior to 2.4.3 and 3.1.0, as well as in Dovecot Pro 2.3.0, that allows an attacker to send a specially crafted message before authentication. This message causes the ManageSieve service to allocate a large amount of memory, leading to a denial-of-service condition. The process can be crashed repeatedly, causing the ManageSieve login to become unavailable for other users.

Impact

Exploitation of this vulnerability causes excessive memory usage, which can lead to the process being terminated after reaching the virtual memory limit. This disruption can affect other proxied connections as well.

Reproduction

The vulnerability can be reproduced by sending a 'NOOP' command with a large number of parentheses to the ManageSieve service before authentication. This command will cause the service to allocate excessive memory, which can be sustained by not sending the command's terminating line feed, allowing an attacker to create multiple connections and exhaust the server's resources.

Remediation

Users are advised to protect access to the ManageSieve protocol or to upgrade to a fixed version. Instructions for updating can be found in the Open-Xchange Dovecot security advisory OXDC-ADV-2026-0001.