CVE-2020-10958
Description
Dovecot before 2.3.10.1 allows unauthenticated use-after-free in submission-login, submission, or lmtp via crafted SMTP/LMTP message with many newlines, leading to crash or possible code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dovecot before 2.3.10.1 allows unauthenticated use-after-free in submission-login, submission, or lmtp via crafted SMTP/LMTP message with many newlines, leading to crash or possible code execution.
Vulnerability
A use-after-free vulnerability exists in Dovecot versions 2.3.0 through 2.3.10 in the submission-login, submission, and lmtp components. The bug occurs when a crafted SMTP or LMTP message containing many newlines after a command is processed, causing the server to access freed memory. No authentication is required to trigger this code path [1][2][3].
Exploitation
An unauthenticated attacker can exploit this remotely by sending a specially crafted SMTP or LMTP message with an excessive number of newlines after a command. The attacker only needs network access to the Dovecot server's SMTP or LMTP submission ports. The vulnerability does not require any prior authentication or user interaction [1][2][3].
Impact
Successful exploitation leads to a crash (denial of service) and, as noted in the Ubuntu security notice, may also enable arbitrary code execution [3]. The vulnerability has a CVSS v3.1 base score of 7.5 (High) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating high availability impact [1]. The privilege level achievable is that of the Dovecot process, which can compromise the entire mail service.
Mitigation
The fix was released in Dovecot version 2.3.10.1 on 2020-04-02 [1][2]. Administrators should upgrade to this version or later. Ubuntu and Fedora have released updated packages [3][4]. There is no viable workaround other than upgrading; disabling the affected components (submission or lmtp) is not recommended for normal operation.
- security - Multiple vulnerabilities in Dovecot IMAP server
- security - Multiple vulnerabilities in Dovecot IMAP server
- USN-4361-1: Dovecot vulnerabilities | Ubuntu security notices | Ubuntu
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12- Dovecot/Dovecotdescription
- Range: <2.3.10.1
- osv-coords10 versionspkg:rpm/almalinux/dovecotpkg:rpm/almalinux/dovecot-develpkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015
< 1:2.3.8-4.el8+ 9 more
- (no CPE)range: < 1:2.3.8-4.el8
- (no CPE)range: < 1:2.3.8-4.el8
- (no CPE)range: < 2.3.10-lp151.2.9.1
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
- (no CPE)range: < 2.3.10-4.22.1
- (no CPE)range: < 2.3.10-4.22.1
- (no CPE)range: < 2.3.10-11.1
- (no CPE)range: < 2.3.10-4.22.1
- (no CPE)range: < 2.3.10-4.22.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper handling of input data (CWE-20) in command parsing leads to a use-after-free when many newlines follow a command."
Attack vector
An unauthenticated remote attacker sends a crafted command followed by a sufficient number of newlines to the submission or lmtp port [ref_id=1][ref_id=2]. This triggers a use-after-free bug in the service's command parsing logic [ref_id=1]. The attacker does not need any prior authentication or special network position, making the attack vector straightforward [ref_id=1].
Affected code
The vulnerability affects the submission, submission-login, and lmtp services in Dovecot versions 2.3.0 through 2.3.10 [ref_id=1][ref_id=2]. The advisory does not specify exact function or file names.
What the fix does
The advisory states the fix is included in Dovecot version 2.3.10.1 [ref_id=1][ref_id=2]. No patch diff is provided in the bundle, but the remediation guidance is to upgrade to the fixed version [ref_id=1]. The fix likely corrects the improper handling of input data (CWE-20) that caused the use-after-free when many newlines follow a command [ref_id=1].
Preconditions
- authNo authentication required; the attacker can send commands to the service without prior login
- networkThe target service (submission, submission-login, or lmtp) must be exposed on a network port reachable by the attacker
- inputThe attacker sends a command followed by a sufficient number of newline characters
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4361-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4690mitrevendor-advisoryx_refsource_DEBIAN
- packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2020/May/37mitremailing-listx_refsource_FULLDISC
- www.openwall.com/lists/oss-security/2020/05/18/1mitremailing-listx_refsource_MLIST
- dovecot.org/securitymitrex_refsource_MISC
- www.openwall.com/lists/oss-security/2020/05/18/1mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.