CVE-2020-7046
Description
Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 in command parameters, allowing unauthenticated remote denial of service via an infinite loop in submission-login and lmtp.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 in command parameters, allowing unauthenticated remote denial of service via an infinite loop in submission-login and lmtp.
Vulnerability
The vulnerability resides in lib-smtp within Dovecot's submission-login and lmtp components. Due to improper handling of truncated UTF-8 data in command parameters, a crafted input can cause an infinite loop, consuming 100% CPU. This affects Dovecot core version 2.3.9; the issue is fixed in version 2.3.9.3 [1][2].
Exploitation
An unauthenticated attacker can trigger the vulnerability by sending a specially crafted, truncated UTF-8 sequence as part of an SMTP command to the submission-login or LMTP service. No authentication or prior access is required; the attacker only needs network reachability to the affected services. The malformed input causes the lib-smtp parser to enter an infinite loop, locking the process [1][2].
Impact
Successful exploitation results in a denial of service (DoS) condition. The affected submission-login or lmtp process becomes unresponsive and consumes 100% CPU, effectively exhausting system resources and preventing legitimate mail submission or delivery. There is no impact on confidentiality or integrity; the CVSS score is 7.5 (High) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [1][2].
Mitigation
Upgrade to Dovecot 2.3.9.3, released on or around February 12, 2020, which contains the fix for CVE-2020-7046 [1][2]. No workarounds have been published for systems that cannot immediately upgrade. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Dovecot/Dovecotdescription
- Range: >=2.3.9, <2.3.9.3
- osv-coords2 versionspkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweed
< 2.3.16-1.6+ 1 more
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/mitrevendor-advisoryx_refsource_FEDORA
- www.openwall.com/lists/oss-security/2020/02/12/1mitrex_refsource_CONFIRM
- dovecot.org/pipermail/dovecot-news/2020-February/000431.htmlmitrex_refsource_CONFIRM
- dovecot.org/securitymitrex_refsource_MISC
News mentions
0No linked articles in our index yet.