CVE-2019-10691
Description
Invalid UTF-8 sequences in usernames or email headers crash Dovecot's authentication service via JSON encoder assertion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Invalid UTF-8 sequences in usernames or email headers crash Dovecot's authentication service via JSON encoder assertion.
Vulnerability
The JSON encoder in Dovecot versions 2.3.0 through 2.3.5.1 incorrectly asserts when processing invalid UTF-8 characters, leading to a crash. This affects the authentication service when auth policy is enabled [1][2]. It can also be triggered during OX push notification delivery if an email contains invalid UTF-8 in the From or Subject headers [2]. In version 2.2.x, malformed UTF-8 sequences are passed through without issue [2].
Exploitation
An unauthenticated remote attacker can repeatedly crash the Dovecot authentication process by attempting to authenticate with a username containing an invalid UTF-8 sequence, provided auth policy is enabled [2]. Additionally, if the OX push notification driver is enabled, an attacker can send an email with an invalid UTF-8 sequence in the From or Subject header to trigger a crash [2]. No special privileges or user interaction beyond sending a crafted request or email are required.
Impact
Successful exploitation causes a denial of service (DoS) by repeatedly crashing the authentication service, preventing legitimate users from authenticating [1][2]. The CVSS score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) [2]. No information disclosure, privilege escalation, or remote code execution is reported.
Mitigation
The vulnerability is fixed in Dovecot version 2.3.5.2, released 2019-04-11 [1][2]. Users should upgrade to that version or later. If upgrading is not immediately possible, disabling auth policy or OX push notification driver may reduce exposure, but the vendor recommends upgrading [2]. The Gentoo advisory (GLSA 201908-29) also recommends upgrading to >=net-mail/dovecot-2.3.7.2 [4].
- security - CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters.
- [Dovecot-news] CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters.
- Multiple vulnerabilities (GLSA 201908-29) — Gentoo security
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
61.1.alpha1, 1.1.alpha2, 1.1.alpha4, …+ 1 more
- (no CPE)range: 1.1.alpha1, 1.1.alpha2, 1.1.alpha4, …
- (no CPE)range: <2.3.5.2
- osv-coords4 versionspkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015
< 2.3.3-lp150.11.1+ 3 more
- (no CPE)range: < 2.3.3-lp150.11.1
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
- (no CPE)range: < 2.3.3-4.13.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The JSON encoder in Dovecot 2.3 assert-crashes when processing invalid UTF-8 sequences instead of handling them safely."
Attack vector
An attacker can repeatedly crash the Dovecot authentication process by attempting to log in with a username containing an invalid UTF-8 sequence [ref_id=1]. This requires that auth policy is enabled (auth_policy_server_url and auth_policy_hash_nonce must be configured) [ref_id=1]. The JSON encoder's assertion failure causes the authentication service to crash, and the attacker can sustain this to keep the service down [CWE-176] [ref_id=1].
Affected code
The vulnerability resides in the JSON encoder component of Dovecot 2.3.0 through 2.3.5.1 [ref_id=1]. The encoder incorrectly triggers an assertion failure when it encounters invalid UTF-8 sequences, rather than handling them gracefully [ref_id=1].
What the fix does
The vendor fixed the issue in Dovecot version 2.3.5.2 [ref_id=1]. The advisory does not include a patch diff, but the solution is to update to the latest patch release or disable auth policy support [ref_id=2]. The fix ensures the JSON encoder no longer assert-crashes on invalid UTF-8 input, instead handling such sequences safely [ref_id=1].
Preconditions
- configAuth policy must be enabled (auth_policy_server_url and auth_policy_hash_nonce configured)
- networkAttacker must be able to initiate authentication attempts against the Dovecot server
- authNo authentication required — attacker can be unauthenticated
- inputUsername must contain an invalid UTF-8 sequence
Reproduction
Configure Dovecot with auth_policy_server_url and auth_policy_hash_nonce set. Attempt to log in with a username containing an invalid UTF-8 sequence. Observe the assert-crash in Dovecot logs [ref_id=1] [ref_id=2].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/201908-29mitrevendor-advisoryx_refsource_GENTOO
- www.openwall.com/lists/oss-security/2019/04/18/3mitremailing-listx_refsource_MLIST
- dovecot.org/list/dovecot-news/2019-April/000406.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.