CVE-2019-11494
Description
In Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when a client disconnects prematurely during the AUTH command.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when a client disconnects prematurely during the AUTH command.
Vulnerability
The submission-login service in Dovecot versions 2.3.3 through 2.3.5.2 contains a crash vulnerability. The issue occurs in the IMAP Server when a client disconnects prematurely while the AUTH command is being processed. This can lead to a denial-of-service condition for the submission-login service. [1][2]
Exploitation
An attacker can exploit this vulnerability by initiating an IMAP connection to a vulnerable Dovecot server, sending the AUTH command, and then abruptly disconnecting. No prior authentication or special privileges are required; the attacker only needs network access to the IMAP port. The premature disconnection triggers a crash in the submission-login process. [3]
Impact
Successful exploitation results in a crash of the submission-login service, causing a denial of service. This prevents legitimate users from accessing the submission-login functionality until the service is restarted. The confidentiality and integrity of data are not directly impacted. [3]
Mitigation
Dovecot has not publicly disclosed a fixed version in the available references. Administrators should monitor the Dovecot security page for updates. As a workaround, limiting access to the IMAP service to trusted networks may reduce exposure. The issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- Dovecot/IMAP Serverdescription
- Range: >=2.3.3, <=2.3.5.2
- Range: >=2.3.3, <=2.3.5.2
- osv-coords5 versionspkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1
< 2.3.3-lp150.14.1+ 4 more
- (no CPE)range: < 2.3.3-lp150.14.1
- (no CPE)range: < 2.3.3-lp151.2.6.1
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
- (no CPE)range: < 2.3.3-8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/mitrevendor-advisoryx_refsource_FEDORA
- www.dovecot.org/download.htmlmitrex_refsource_MISC
- www.dovecot.org/security.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.