CVE-2026-27856
Publication date 27 March 2026
Last updated 1 April 2026
Ubuntu priority
Description
Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port, install fixed version. No publicly available exploits are known.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| dovecot | 25.10 questing |
Fixed 1:2.4.1+dfsg1-5ubuntu4.1
|
| 24.04 LTS noble |
Fixed 1:2.3.21+dfsg1-2ubuntu6.3
|
|
| 22.04 LTS jammy |
Fixed 1:2.3.16+dfsg1-3ubuntu2.7
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.4 · High
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-8136-1
- Dovecot vulnerabilities
- 31 March 2026