CVE-2020-10967
Description
Remote unauthenticated attackers can crash Dovecot's lmtp or submission process by sending an email with an empty localpart, leading to denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Remote unauthenticated attackers can crash Dovecot's lmtp or submission process by sending an email with an empty localpart, leading to denial of service.
Vulnerability
Dovecot versions 2.3.0 through 2.3.10 are vulnerable to a NULL pointer dereference in the lmtp and submission processes [2]. When processing an email with an empty localpart (the part before the @ in an email address), the software fails to properly handle the NULL value, causing a crash. This affects the LMTP (Local Mail Transfer Protocol) and submission services.
Exploitation
An attacker can exploit this vulnerability remotely without authentication by sending a crafted email message with an empty localpart to a Dovecot server running the vulnerable version [2]. No special network position or user interaction is required; the attacker simply needs to deliver the malicious email to the server's lmtp or submission port.
Impact
Successful exploitation results in a denial of service (DoS) as the lmtp or submission process crashes [2][4]. This prevents legitimate mail delivery and submission until the process is restarted. The vulnerability does not lead to information disclosure or code execution; it is purely a denial of service.
Mitigation
The vulnerability is fixed in Dovecot version 2.3.10.1 [2]. Administrators should upgrade to this version or later. Ubuntu users can apply the update via package manager as per USN-4361-1 [4]. No workarounds are documented; upgrading is the recommended mitigation.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12- Dovecot/Dovecotdescription
- Range: <2.3.10.1
- osv-coords10 versionspkg:rpm/almalinux/dovecotpkg:rpm/almalinux/dovecot-develpkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015
< 1:2.3.8-4.el8+ 9 more
- (no CPE)range: < 1:2.3.8-4.el8
- (no CPE)range: < 1:2.3.8-4.el8
- (no CPE)range: < 2.3.10-lp151.2.9.1
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
- (no CPE)range: < 2.3.10-4.22.1
- (no CPE)range: < 2.3.10-4.22.1
- (no CPE)range: < 2.3.10-11.1
- (no CPE)range: < 2.3.10-4.22.1
- (no CPE)range: < 2.3.10-4.22.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"NULL pointer dereference (CWE-476) when processing mail with an empty localpart in the submission or lmtp service."
Attack vector
A remote unauthenticated attacker can crash the lmtp or submission process by sending mail with an empty localpart [ref_id=1][ref_id=2]. The attack requires no authentication and is performed over the network against the submission or lmtp service ports. The advisory notes that for lmtp the risk is negligible because lmtp is usually behind a trusted MTA, but the submission-login service is directly exposed and can be kept down by repeated attacks [ref_id=1][ref_id=2].
Affected code
The vulnerability affects the submission and lmtp services in Dovecot versions 2.3.0 through 2.3.10 [ref_id=1][ref_id=2]. The advisory does not specify exact function or file paths, but identifies the vulnerable components as "submission, lmtp" [ref_id=1][ref_id=2].
What the fix does
The advisory states the fix is to upgrade to Dovecot version 2.3.10.1 [ref_id=1][ref_id=2]. No patch diff is included in the bundle, so the specific code changes are not visible. The vendor resolved the issue by properly handling input with an empty localpart to prevent the crash [ref_id=1][ref_id=2].
Preconditions
- authNo authentication required
- networkAttacker must be able to send mail to the submission or lmtp service port
- inputMail must have an empty localpart
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4361-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4690mitrevendor-advisoryx_refsource_DEBIAN
- packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2020/May/37mitremailing-listx_refsource_FULLDISC
- www.openwall.com/lists/oss-security/2020/05/18/1mitremailing-listx_refsource_MLIST
- dovecot.org/securitymitrex_refsource_MISC
- www.openwall.com/lists/oss-security/2020/05/18/1mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.