CVE Catalog

CVE-2026-42006

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.45%

36th percentile - higher than 36% of all known CVEs

Summary

A vulnerability in IMAP handling allows an attacker to cause uncontrolled memory usage through excessive bracing. The fix for CVE-2026-27857 was incomplete, blocking only one attack vector while leaving another open. Attackers can use open braces to bypass the limit and increase memory usage up to the configured memory limit.

Risk Assessment

The risk is that an attacker can exhaust server memory, leading to denial of service (DoS) for other users. Although no public exploits are known, the attack can be performed by authenticated or unauthenticated IMAP users.

Recommendation

Immediately update to a version containing the complete fix. If updating is not possible, configure a low vsz_limit for the IMAP process to restrict maximum memory usage.

Original NVD description (English source)

An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS