Moderate DoS and Info Disclosure Vulnerabilities in Dovecot Affect Fedora 43 and 44

Severity: Medium (Score: 57.1)

Sources: Linuxsecurity

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: safe, fedora, dovecot, moderate, info, disclosure, cve-2026-27851

Severity indicators: issue, ot, rat, closure, CVE:CVE-2026-27851

Summary

Fedora versions 43 and 44 of Dovecot have been found to contain multiple vulnerabilities, including CVE-2026-33603, CVE-2026-40020, and CVE-2026-42006. These vulnerabilities allow for information disclosure and denial-of-service (DoS) attacks, affecting users who rely on IMAP services. Attackers could exploit these vulnerabilities through methods such as channel binding bypass and excessive bracing over IMAP, leading to potential service disruptions. The vulnerabilities were disclosed on May 12, 2026, and are linked to incomplete fixes from earlier patches. Users are advised to update their systems to mitigate these risks. The vulnerabilities are present in both Fedora 43 and 44, indicating a broader impact across these versions. The updates can be installed using the 'dnf' package manager. Key Points: • Dovecot in Fedora 43 and 44 has multiple vulnerabilities allowing DoS and info disclosure. • Key CVEs include CVE-2026-33603 and CVE-2026-40020, published on May 12, 2026. • Users are urged to apply updates to mitigate risks associated with these vulnerabilities.

Detailed Analysis

**Impact** Fedora 43 and 44 users running Dovecot mail servers are affected by moderate denial-of-service (DoS) and information disclosure vulnerabilities. The issues potentially expose IMAP folder access controls and authentication mechanisms, risking unauthorized access and service disruption. The vulnerabilities impact email service availability and confidentiality, primarily affecting organizations relying on Fedora-based mail infrastructure. No specific sectors or geographic regions are detailed. **Technical Details** Exploits include CVE-2026-27851 (lib-var-expand safe filter flaw), CVE-2026-33603 (CRAM-SHA-*-PLUS channel binding bypass via MITM with trusted certificates), CVE-2026-40020 (IMAP SETACL command injection enabling shared-spam), and CVE-2026-42006 (uncontrolled memory usage via excessive IMAP bracing). The attack vector involves network-based exploitation of IMAP and authentication protocols, enabling information disclosure and DoS conditions. Root privilege dropping and socket listener configuration changes address privilege escalation and service stability. No malware or IOCs are specified. **Recommended Response** Apply the Dovecot 2.4.4 update released on May 15, 2026, via Fedora’s dnf upgrade advisories FEDORA-2026-693373747f (Fedora 43) or FEDORA-2026-96eeb03b88 (Fedora 44) immediately. Harden configurations by verifying root privilege drops and listener socket settings as per the update. Monitor IMAP traffic for abnormal SETACL commands and excessive bracing patterns indicative of exploitation attempts. No additional IOCs or detection signatures are provided.

Source articles (2)

• Fedora 44 Dovecot Moderate Info Disclosure DoS Vuln 2026 — Linuxsecurity · 2026-06-02
  CVE-2026-27851: lib-var-expand: Safe filter marks all following pipelines safe. CVE-2026-33603: auth: CRAM-SHA-*-PLUS channel binding could be faked. MITM attacker with a certificate trusted by the cl…
• Fedora 43 Dovecot Suffering from Moderate DoS Info Disclosure Issues — Linuxsecurity · 2026-06-02
  CVE-2026-27851: lib-var-expand: Safe filter marks all following pipelines safe. CVE-2026-33603: auth: CRAM-SHA-*-PLUS channel binding could be faked. MITM attacker with a certificate trusted by the cl…

Timeline

• 2026-03-27 — Incomplete fix released for CVE-2026-27857: An incomplete fix for a previous vulnerability led to the current issues in Dovecot.
• 2026-05-12 — Multiple CVEs published for Dovecot vulnerabilities: CVE-2026-33603, CVE-2026-40020, and CVE-2026-42006 disclosed, affecting Fedora 43 and 44.
• 2026-05-12 — CVE-2026-33603 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
• 2026-05-12 — CVE-2026-27851 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
• 2026-05-12 — CVE-2026-40016 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
• 2026-05-12 — CVE-2026-40020 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
• 2026-05-12 — CVE-2026-42006 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
• 2026-06-02 — Current advisory issued for Fedora Dovecot vulnerabilities: Fedora 43 and 44 users are advised to update Dovecot to mitigate identified vulnerabilities.

CVEs

• CVE-2026-27851
• CVE-2026-27857
• CVE-2026-33603
• CVE-2026-40016
• CVE-2026-40020
• CVE-2026-42006

Related entities

• Data Breach (Attack Type)
• Denial of Service (Attack Type)
• CWE-200 - Exposure of Sensitive Information (Cwe)
• CWE-78 - OS Command Injection (Cwe)
• T1059 - Command and Scripting Interpreter (Mitre Attack)
• Dovecot (Platform)
• Linux (Platform)
• Fedora (Company)