CVE-2019-19722
Description
In Dovecot before 2.3.9.2, a crafted email with a group address triggers a NULL pointer dereference in the push notification driver, causing a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Dovecot before 2.3.9.2, a crafted email with a group address triggers a NULL pointer dereference in the push notification driver, causing a denial of service.
Vulnerability
In Dovecot versions 2.3.9 and earlier, the push notification driver contains a NULL pointer dereference vulnerability (CWE-476). When push notifications are enabled, processing an email where either the sender or recipient is a group address causes a crash. The issue was reported by Frederik Schwan and Michael Stilkerich and is tracked as DOV-3719 [1][2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted email with a group address as the sender or recipient to a Dovecot server configured with push notifications enabled. No authentication or special privileges are required, as the vulnerability is triggerable via standard email delivery [1][2]. The crash occurs immediately upon processing the email, leading to repeated delivery attempts and MTA queueing [2].
Impact
Successful exploitation results in a denial of service (availability impact only) due to the crash of the push notification driver (signal 11). Repeated attempts to deliver the problematic email cause further resource consumption in the mail transfer agent. The CVSS score is 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) [1][2].
Mitigation
The issue is fixed in Dovecot version 2.3.9.2, released on December 12, 2019. An initial fix in version 2.3.9.1 was incomplete, so all users should update to 2.3.9.2 or later [2][3]. No workarounds are available; the only mitigation is to apply the patch.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Dovecot/Dovecotdescription
- Range: <2.3.9.2
- osv-coords2 versionspkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweed
< 2.3.16-1.6+ 1 more
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"NULL pointer dereference in push notification drivers when handling a group address (sender or recipient) from an email."
Attack vector
An attacker sends an email where the sender (or, in some drivers, the recipient) is a group address rather than a single user address [ref_id=1]. When Dovecot's push notification driver processes this email, it dereferences a NULL pointer, causing a signal 11 crash [ref_id=1]. The crash leads to repeated delivery attempts that queue mail in the MTA [ref_id=1]. No authentication is required; the attacker only needs the ability to send an email to a Dovecot server that has push notifications enabled [ref_id=1].
Affected code
The vulnerable component is the push notification driver in Dovecot 2.3.9 [ref_id=1]. The advisory does not specify exact file paths or function names, but notes that the OX push notification driver and the third-party plugin XAPS are both affected [ref_id=1].
What the fix does
The vendor released Dovecot 2.3.9.1 as the initial fix, but that fix was incomplete, so 2.3.9.2 was issued to fully resolve the NULL pointer dereference [ref_id=1][ref_id=2]. The advisory does not include a patch diff, but the remediation guidance directs operators to update to the latest patch release (2.3.9.2) [ref_id=1][ref_id=2]. The fix ensures that push notification drivers properly handle group addresses without dereferencing a NULL pointer.
Preconditions
- configDovecot must be configured with push notifications enabled (e.g., OX push notification driver or third-party plugin XAPS)
- networkAttacker must be able to send an email to the Dovecot server
- inputThe email must use a group address as either the sender or the recipient
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OZCJ3RBA4WIYGN7SOV4TW2AIHXPZATK/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PPB7PG5BM3MC5ZF2KHQ3UR7CZIO42BB/mitrevendor-advisoryx_refsource_FEDORA
- www.openwall.com/lists/oss-security/2019/12/13/3mitrex_refsource_CONFIRM
- dovecot.org/list/dovecot-news/2019-December/000428.htmlmitrex_refsource_CONFIRM
- dovecot.org/pipermail/dovecot-news/2019-December/000428.htmlmitrex_refsource_CONFIRM
- dovecot.org/security.htmlmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.