This security update addresses three denial-of-service vulnerabilities in Dovecot, including one via a crafted SASL initial response in the ManageSieve AUTHENTICATE command (CVE-2025-59032, CVSS 7.5 HIGH), another via a crafted message before authentication (CVE-2026-27858, CVSS 7.5 HIGH), and a third via a specially crafted NOOP command (CVE-2026-27857, CVSS 4.3 MEDIUM). The affected versions are Dovecot before 2.4.3, and Open-Xchange Dovecot before 2.3.22.1, 3.0.5, and 3.1.4. The fixed versions are Dovecot 2.4.3 and Open-Xchange Dovecot 2.3.22.1, 3.0.5, or 3.1.4.
Red Hat Product Errata RHSA-2026:19455 - Security Advisory Issued: 2026-05-20 Updated: 2026-05-20 RHSA-2026:19455 - Security Advisory Overview Updated Packages Synopsis Important: dovecot security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for dovecot is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Security Fix(es): dovecot: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (CVE-2025-59032) dovecot: denial of service via crafted message before authentication (CVE-2026-27858) dovecot: denial of service via specially crafted NOOP command (CVE-2026-27857) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64 Red Hat Enterprise Linux Server - AUS 8.4 x86_64 Fixes BZ - 2452172 - CVE-2025-59032 dovecot: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command BZ - 2452175 - CVE-2026-27858 dovecot: denial of service via crafted message before authentication BZ - 2452179 - CVE-2026-27857 dovecot: denial of service via specially crafted NOOP command CVEs CVE-2025-59032 CVE-2026-27857 CVE-2026-27858 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 SRPM dovecot-2.3.8-9.el8_4.1.src.rpm SHA-256: bebd6fadb5937083b2066820d7eaa32c234506ebea2600063f5b7512ed150726 x86_64 dovecot-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: 37a2cfc220a891f3d92f2062d89f402398fe18f7055eccd74eca2becbf503788 dovecot-debuginfo-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: 146f938c34c9df10fa5186241dabffad2f564697f952a49b072a50924f0a4fed dovecot-debugsource-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: ae1c0379d47b27dc670ac8f66826c045efb217a6c87380b0670d6ac47d2c1926 dovecot-mysql-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: ad1bb23dfc84aa2aa46d6f003ea6ee63a12ab9c845f30b90648e3a725ecc6af0 dovecot-mysql-debuginfo-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: 2e5e16908d304605d5ec7d5f0e61571caf17565124a2bf65fde334d8947b916e dovecot-pgsql-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: e73b9a8e3664f92a037b2b3f6e979a34df489c3defa2da01c766533ea1954b7c dovecot-pgsql-debuginfo-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: 0f20063ec501d41cd68ea45d3fda9d312632edd0414fbab54cf37d99fdb344fb dovecot-pigeonhole-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: c79b6a0e01ef1f4325f2d4abefc18ad9738187838e5f222b9112e80ec83c41d5 dovecot-pigeonhole-debuginfo-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: b64dd5d5954df246ff1155c93e9c3fb2e7ef06db6640cd3377c6e0faa2013d3d Red Hat Enterprise Linux Server - AUS 8.4 SRPM dovecot-2.3.8-9.el8_4.1.src.rpm SHA-256: bebd6fadb5937083b2066820d7eaa32c234506ebea2600063f5b7512ed150726 x86_64 dovecot-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: 37a2cfc220a891f3d92f2062d89f402398fe18f7055eccd74eca2becbf503788 dovecot-debuginfo-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: 146f938c34c9df10fa5186241dabffad2f564697f952a49b072a50924f0a4fed dovecot-debugsource-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: ae1c0379d47b27dc670ac8f66826c045efb217a6c87380b0670d6ac47d2c1926 dovecot-mysql-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: ad1bb23dfc84aa2aa46d6f003ea6ee63a12ab9c845f30b90648e3a725ecc6af0 dovecot-mysql-debuginfo-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: 2e5e16908d304605d5ec7d5f0e61571caf17565124a2bf65fde334d8947b916e dovecot-pgsql-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: e73b9a8e3664f92a037b2b3f6e979a34df489c3defa2da01c766533ea1954b7c dovecot-pgsql-debuginfo-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: 0f20063ec501d41cd68ea45d3fda9d312632edd0414fbab54cf37d99fdb344fb dovecot-pigeonhole-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: c79b6a0e01ef1f4325f2d4abefc18ad9738187838e5f222b9112e80ec83c41d5 dovecot-pigeonhole-debuginfo-2.3.8-9.el8_4.1.x86_64.rpm SHA-256: b64dd5d5954df246ff1155c93e9c3fb2e7ef06db6640cd3377c6e0faa2013d3d The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .