CVE-2019-7524
Description
A local attacker can trigger a buffer overflow in Dovecot's indexer-worker via crafted FTS or POP3-UIDL headers, leading to privilege escalation to root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A local attacker can trigger a buffer overflow in Dovecot's indexer-worker via crafted FTS or POP3-UIDL headers, leading to privilege escalation to root.
Vulnerability
In Dovecot versions 2.0.14 through 2.3.5, the fts and pop3-uidl components do not bound the input buffer size when reading extension headers from dovecot index files. This allows a buffer overflow in the indexer-worker process, as data is copied to a target structure without proper size checks [1][2]. The vulnerability affects Dovecot versions before 2.2.36.3 and 2.3.x before 2.3.5.1 [1][2].
Exploitation
A local attacker with the ability to directly modify dovecot index files can exploit this vulnerability. The attacker must produce a dovecot.index.log entry that creates an FTS header with more than 12 bytes of data. Triggering the indexer-worker process (e.g., via doveadm index) causes the buffer overflow and crashes Dovecot [2].
Impact
Successful exploitation allows a local attacker to achieve privilege escalation to root, potentially executing arbitrary code in the Dovecot process context. The CVSS score is 8.8 (High) under CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability [1][2].
Mitigation
Fixed versions are 2.2.36.3 and 2.3.5.1, released on 2019-03-21 [1][2]. Since 2.3.0, Dovecot uses stack smash protection, ASLR, read-only GOT tables, and other techniques that make exploitation harder but do not fully mitigate [2]. The only workaround is to disable the FTS and pop3-uidl plugins [2]. Fedora package announcements reference the fix but the content is behind an anti-bot wall [3][4].
- security - CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files
- [Dovecot-news] CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
201.1.alpha1, 1.1.alpha2, 1.1.alpha4, …+ 1 more
- (no CPE)range: 1.1.alpha1, 1.1.alpha2, 1.1.alpha4, …
- (no CPE)range: <2.2.36.3, <2.3.5.1
- osv-coords18 versionspkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot22&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/dovecot22&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015
< 2.3.3-lp150.8.2+ 17 more
- (no CPE)range: < 2.3.3-lp150.8.2
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
- (no CPE)range: < 2.2.31-19.14.2
- (no CPE)range: < 2.2.31-19.14.2
- (no CPE)range: < 2.2.31-19.14.2
- (no CPE)range: < 2.2.31-19.14.2
- (no CPE)range: < 2.2.31-19.14.2
- (no CPE)range: < 2.2.31-19.14.2
- (no CPE)range: < 2.2.31-19.14.2
- (no CPE)range: < 2.2.31-19.14.2
- (no CPE)range: < 2.2.31-19.14.2
- (no CPE)range: < 2.2.31-19.14.2
- (no CPE)range: < 2.2.31-19.14.2
- (no CPE)range: < 2.2.31-19.14.2
- (no CPE)range: < 2.2.31-19.14.2
- (no CPE)range: < 2.2.31-19.14.2
- (no CPE)range: < 2.3.3-4.10.1
Patches
22 files changed · +8 −1
configure.ac+1 −1 modified@@ -2,7 +2,7 @@ AC_PREREQ([2.59]) # Be sure to update ABI version also if anything changes that might require # recompiling plugins. Most importantly that means if any structs are changed. -AC_INIT([Dovecot],[2.3.5],[dovecot@dovecot.org]) +AC_INIT([Dovecot],[2.3.5.1],[dovecot@dovecot.org]) AC_DEFINE_UNQUOTED([DOVECOT_ABI_VERSION], "2.3.ABIv5($PACKAGE_VERSION)", [Dovecot ABI version]) AC_CONFIG_SRCDIR([src])
NEWS+7 −0 modified@@ -1,3 +1,10 @@ +v2.3.5.1 2019-03-28 Timo Sirainen <tss@iki.fi> + + * CVE-2019-7524: Missing input buffer size validation leads into + arbitrary buffer overflow when reading fts or pop3 uidl header + from Dovecot index. Exploiting this requires direct write access to + the index files. + v2.3.5 2019-03-05 Timo Sirainen <tss@iki.fi> + Lua push notification driver: mail keywords and flags are provided
2 files changed · +8 −1
configure.ac+1 −1 modified@@ -2,7 +2,7 @@ AC_PREREQ([2.59]) # Be sure to update ABI version also if anything changes that might require # recompiling plugins. Most importantly that means if any structs are changed. -AC_INIT([Dovecot],[2.2.36.1],[dovecot@dovecot.org]) +AC_INIT([Dovecot],[2.2.36.3],[dovecot@dovecot.org]) AC_DEFINE_UNQUOTED([DOVECOT_ABI_VERSION], "2.2.ABIv36($PACKAGE_VERSION)", [Dovecot ABI version]) AC_CONFIG_AUX_DIR([.]) AC_CONFIG_SRCDIR([src])
NEWS+7 −0 modified@@ -1,3 +1,10 @@ +v2.2.36.3 2019-03-28 Timo Sirainen <tss@iki.fi> + + * CVE-2019-7524: Missing input buffer size validation leads into + arbitrary buffer overflow when reading fts or pop3 uidl header + from Dovecot index. Exploiting this requires direct write access to + the index files. + v2.2.36.1 2019-02-05 Timo Sirainen <tss@iki.fi> * CVE-2019-3814: If imap/pop3/managesieve/submission client has
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- lists.opensuse.org/opensuse-security-announce/2019-04/msg00060.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/201904-19mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/3928-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2019/dsa-4418mitrevendor-advisoryx_refsource_DEBIAN
- www.openwall.com/lists/oss-security/2019/03/28/1mitremailing-listx_refsource_MLIST
- www.securityfocus.com/bid/107672mitrevdb-entryx_refsource_BID
- dovecot.org/list/dovecot-news/2019-March/000403.htmlmitrex_refsource_MISC
- dovecot.org/security.htmlmitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/03/msg00038.htmlmitremailing-listx_refsource_MLIST
- seclists.org/bugtraq/2019/Mar/59mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.