Home / mailingsPDF  

[USN-8365-1] Dovecot vulnerabilities

Posted on 02 June 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8365-1
June 02, 2026

dovecot vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Dovecot.

Software Description:
- dovecot: IMAP and POP3 email server

Details:

It was discovered that Dovecot incorrectly treated some variable expansion
pipelines as safe in authentication filters. An attacker could possibly use
this issue to perform SQL or LDAP injection attacks. This issue only
affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-27851)

It was discovered that Dovecot incorrectly verified SCRAM TLS channel
binding in certain base64 exchanges. A remote attacker could possibly use
this issue to obtain sensitive information in a machine-in-the-middle
attack. (CVE-2026-33603)

It was discovered that Dovecot incorrectly enforced Sieve script CPU
limits. An attacker could possibly use this issue to cause Dovecot to use
excessive resources, leading to a denial of service. (CVE-2026-40016)

It was discovered that Dovecot incorrectly handled certain IMAP SETACL
commands. An attacker could possibly use this issue to spam folders to
other users. (CVE-2026-40020)

It was discovered that Dovecot incorrectly handled excessive IMAP bracing.
An attacker could possibly use this issue to cause Dovecot to use excessive
resources, leading to a denial of service. (CVE-2026-42006)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
dovecot-core 1:2.4.2+dfsg1-3ubuntu2.1

Ubuntu 25.10
dovecot-core 1:2.4.1+dfsg1-5ubuntu4.2

Ubuntu 24.04 LTS
dovecot-core 1:2.3.21+dfsg1-2ubuntu6.5

Ubuntu 22.04 LTS
dovecot-core 1:2.3.16+dfsg1-3ubuntu2.9

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8365-1
CVE-2026-27851, CVE-2026-33603, CVE-2026-40016, CVE-2026-40020,
CVE-2026-42006

Package Information:
https://launchpad.net/ubuntu/+source/dovecot/1:2.4.2+dfsg1-3ubuntu2.1
https://launchpad.net/ubuntu/+source/dovecot/1:2.4.1+dfsg1-5ubuntu4.2
https://launchpad.net/ubuntu/+source/dovecot/1:2.3.21+dfsg1-2ubuntu6.5
https://launchpad.net/ubuntu/+source/dovecot/1:2.3.16+dfsg1-3ubuntu2.9

--===============4441222447228650567==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :