CVE-2021-33582
Description
Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A hash-table collision vulnerability in Cyrus IMAP before 3.4.2/3.2.8/3.0.16 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via slow strcmp.
Vulnerability
The vulnerability resides in the Cyrus IMAP daemon's hash-table implementation, where crafted input can cause many entries to be inserted into a single hash bucket. This results in extremely slow string comparisons (strcmp) as the bucket list grows, leading to a denial of service. Affected versions include all Cyrus IMAP releases prior to 3.4.2, 3.2.8, and 3.0.16 [1][3].
Exploitation
An attacker with network access to the Cyrus IMAP service can send specially crafted input that forces numerous entries into one hash bucket. No authentication is required. The attack causes the daemon to spend multiple minutes performing comparisons, effectively hanging it and denying service to legitimate users.
Impact
Successful exploitation results in a denial of service, where the Cyrus IMAP daemon becomes unresponsive for an extended period (multiple minutes). There is no impact on confidentiality or integrity; only availability is affected.
Mitigation
This vulnerability is fixed in Cyrus IMAP versions 3.4.2, 3.2.8, and 3.0.16 [1][3]. Users should upgrade to one of these releases. No workarounds are documented in the available references.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Cyrus/IMAPdescription
- Range: <3.4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HEO3RURJW6NLIXS7NK5PVU6MGHC4SCM/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJZB45QBUN7CZFGOWCZYUYACNBTX7LVS/mitrevendor-advisoryx_refsource_FEDORA
- cyrus.topicbox.com/groups/announce/T3dde0a2352462975-M1386fc44adf967e072f8df13/cyrus-imap-3-4-2-3-2-8-and-3-0-16-releasedmitrex_refsource_CONFIRM
- github.com/cyrusimap/cyrus-imapd/commits/mastermitrex_refsource_MISC
- github.com/cyrusimap/cyrus-imapd/security/advisoriesmitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2022/06/msg00013.htmlmitremailing-listx_refsource_MLIST
- www.cyrusimap.org/imap/download/release-notes/index.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.