CVE-2026-40016

NameCVE-2026-40016
DescriptionAttacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6313-1
Debian Bugs1136444

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dovecot (PTS)bullseye1:2.3.13+dfsg1-2+deb11u1vulnerable
bullseye (security)1:2.3.13+dfsg1-2+deb11u3vulnerable
bookworm1:2.3.19.1+dfsg1-2.1+deb12u5vulnerable
bookworm (security)1:2.3.19.1+dfsg1-2.1+deb12u6fixed
trixie1:2.4.1+dfsg1-6+deb13u5vulnerable
trixie (security)1:2.4.1+dfsg1-6+deb13u6fixed
forky, sid1:2.4.4+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dovecotsourcebookworm1:2.3.19.1+dfsg1-2.1+deb12u6DSA-6313-1
dovecotsourcetrixie1:2.4.1+dfsg1-6+deb13u6DSA-6313-1
dovecotsource(unstable)1:2.4.4+dfsg1-11136444

Notes

https://www.openwall.com/lists/oss-security/2026/05/12/6
Fixed by: https://github.com/dovecot/pigeonhole/commit/5b0ed9d1034c023d3daf218b6b8656f0cdd383dc (2.4.4)
Search for package or bug name: Reporting problems