CVE-2020-10957
Description
Unauthenticated attackers can crash Dovecot submission and lmtp services via a malformed NOOP command, causing a NULL pointer dereference.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated attackers can crash Dovecot submission and lmtp services via a malformed NOOP command, causing a NULL pointer dereference.
Vulnerability
In Dovecot versions 2.3.0 through 2.3.10, the submission-login, submission, and lmtp services improperly handle malformed parameters sent to the NOOP command. An unauthenticated remote attacker can trigger a NULL pointer dereference (CWE-476) by sending a specially crafted NOOP request, leading to a crash of the affected service [1].
Exploitation
An attacker needs only network access to the Dovecot submission or lmtp service ports. No authentication or prior knowledge is required. The attacker sends a NOOP command with malformed parameters, which causes the service to dereference a NULL pointer and terminate abruptly [1].
Impact
Successful exploitation results in a denial of service (DoS) due to the crash of the submission-login, submission, or lmtp process. The CVSS score is 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating no confidentiality or integrity impact but high availability impact [1].
Mitigation
The vulnerability is fixed in Dovecot version 2.3.10.1, released on 2020-04-02. Users should upgrade to this version or later. No workarounds are documented. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10- Dovecot/Dovecotdescription
- Range: <2.3.10.1
- osv-coords8 versionspkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015
< 2.3.10-lp151.2.9.1+ 7 more
- (no CPE)range: < 2.3.10-lp151.2.9.1
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
- (no CPE)range: < 2.3.10-4.22.1
- (no CPE)range: < 2.3.10-4.22.1
- (no CPE)range: < 2.3.10-11.1
- (no CPE)range: < 2.3.10-4.22.1
- (no CPE)range: < 2.3.10-4.22.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on NOOP command parameters leads to a NULL pointer dereference."
Attack vector
An unauthenticated remote attacker sends a malformed NOOP command — for example, ``NOOP EE"FY`` — to the submission port (or similarly malformed parameters to lmtp) [ref_id=1]. The malformed parameters trigger a NULL pointer dereference [CWE-476] in the service's command parser, causing the service process to crash [ref_id=1]. Because no authentication is required, the attacker can repeatedly send such commands to keep the submission-login service down, resulting in a denial of service [ref_id=1].
Affected code
The vulnerability affects the submission, submission-login, and lmtp services in Dovecot versions 2.3.0 through 2.3.10 [ref_id=1]. The advisory does not specify exact function or file names, but identifies the vulnerable components as the submission and lmtp services [ref_id=1].
What the fix does
The advisory states the fix was included in Dovecot version 2.3.10.1 [ref_id=1]. No patch diff is provided in the bundle, but the remediation guidance is to upgrade to the fixed version [ref_id=1]. The fix presumably adds proper input validation for NOOP command parameters to prevent the NULL pointer dereference.
Preconditions
- authNo authentication required; attacker can send commands to the service before login
- networkAttacker must be able to reach the submission port (or lmtp port) over the network
- inputAttacker sends a malformed NOOP command with specially crafted parameters
Reproduction
Send ``NOOP EE"FY`` to the submission port, or a similarly malformed command [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4361-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4690mitrevendor-advisoryx_refsource_DEBIAN
- packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2020/May/37mitremailing-listx_refsource_FULLDISC
- www.openwall.com/lists/oss-security/2020/05/18/1mitremailing-listx_refsource_MLIST
- dovecot.org/securitymitrex_refsource_MISC
- www.openwall.com/lists/oss-security/2020/05/18/1mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.