{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/rhel7els/vex/2026/cve-2026-33603-els_os-rhel7els.json" } ], "tracking": { "current_release_date": "2026-05-22T16:07:02Z", "generator": { "date": "2026-05-22T16:07:02Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2026-33603-ELS_OS-RHEL7ELS", "initial_release_date": "2026-05-12T14:17:00Z", "revision_history": [ { "date": "2026-05-12T14:17:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-05-22T16:07:02Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Security update on CVE-2026-33603" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux 7", "product": { "name": "Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7", "product_identification_helper": { "cpe": "cpe:2.3:o:redhat:enterprise_linux:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "dovecot-1:2.2.36-8.el7.i686", "product": { "name": "dovecot-1:2.2.36-8.el7.i686", "product_id": "dovecot-1:2.2.36-8.el7.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/dovecot@2.2.36-8.el7?arch=i686&epoch=1" } } }, { "category": "product_version", "name": "dovecot-devel-1:2.2.36-8.el7.i686", "product": { "name": "dovecot-devel-1:2.2.36-8.el7.i686", "product_id": "dovecot-devel-1:2.2.36-8.el7.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/dovecot-devel@2.2.36-8.el7?arch=i686&epoch=1" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "dovecot-1:2.2.36-8.el7.x86_64", "product": { "name": "dovecot-1:2.2.36-8.el7.x86_64", "product_id": "dovecot-1:2.2.36-8.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/dovecot@2.2.36-8.el7?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "dovecot-devel-1:2.2.36-8.el7.x86_64", "product": { "name": "dovecot-devel-1:2.2.36-8.el7.x86_64", "product_id": "dovecot-devel-1:2.2.36-8.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/dovecot-devel@2.2.36-8.el7?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "dovecot-mysql-1:2.2.36-8.el7.x86_64", "product": { "name": "dovecot-mysql-1:2.2.36-8.el7.x86_64", "product_id": "dovecot-mysql-1:2.2.36-8.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/dovecot-mysql@2.2.36-8.el7?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "dovecot-pigeonhole-1:2.2.36-8.el7.x86_64", "product": { "name": "dovecot-pigeonhole-1:2.2.36-8.el7.x86_64", "product_id": "dovecot-pigeonhole-1:2.2.36-8.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/dovecot-pigeonhole@2.2.36-8.el7?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "dovecot-pgsql-1:2.2.36-8.el7.x86_64", "product": { "name": "dovecot-pgsql-1:2.2.36-8.el7.x86_64", "product_id": "dovecot-pgsql-1:2.2.36-8.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/dovecot-pgsql@2.2.36-8.el7?arch=x86_64&epoch=1" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "dovecot-1:2.2.36-8.el7.tuxcare.els1.i686", "product": { "name": "dovecot-1:2.2.36-8.el7.tuxcare.els1.i686", "product_id": "dovecot-1:2.2.36-8.el7.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot@2.2.36-8.el7.tuxcare.els1?arch=i686&epoch=1" } } }, { "category": "product_version", "name": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686", "product": { "name": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686", "product_id": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot-devel@2.2.36-8.el7.tuxcare.els1?arch=i686&epoch=1" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product": { "name": "dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_id": "dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot@2.2.36-8.el7.tuxcare.els1?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product": { "name": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_id": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot-devel@2.2.36-8.el7.tuxcare.els1?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product": { "name": "dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_id": "dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot-mysql@2.2.36-8.el7.tuxcare.els1?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product": { "name": "dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_id": "dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot-pigeonhole@2.2.36-8.el7.tuxcare.els1?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product": { "name": "dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_id": "dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot-pgsql@2.2.36-8.el7.tuxcare.els1?arch=x86_64&epoch=1" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "dovecot-1:2.2.36-8.el7.tuxcare.els1.i686 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-1:2.2.36-8.el7.tuxcare.els1.i686" }, "product_reference": "dovecot-1:2.2.36-8.el7.tuxcare.els1.i686", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-1:2.2.36-8.el7.i686 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-1:2.2.36-8.el7.i686" }, "product_reference": "dovecot-1:2.2.36-8.el7.i686", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64" }, "product_reference": "dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-1:2.2.36-8.el7.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-1:2.2.36-8.el7.x86_64" }, "product_reference": "dovecot-1:2.2.36-8.el7.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686" }, "product_reference": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-devel-1:2.2.36-8.el7.i686 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.i686" }, "product_reference": "dovecot-devel-1:2.2.36-8.el7.i686", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64" }, "product_reference": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-devel-1:2.2.36-8.el7.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.x86_64" }, "product_reference": "dovecot-devel-1:2.2.36-8.el7.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64" }, "product_reference": "dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-mysql-1:2.2.36-8.el7.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-mysql-1:2.2.36-8.el7.x86_64" }, "product_reference": "dovecot-mysql-1:2.2.36-8.el7.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64" }, "product_reference": "dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-pigeonhole-1:2.2.36-8.el7.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-pigeonhole-1:2.2.36-8.el7.x86_64" }, "product_reference": "dovecot-pigeonhole-1:2.2.36-8.el7.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64" }, "product_reference": "dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-pgsql-1:2.2.36-8.el7.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-pgsql-1:2.2.36-8.el7.x86_64" }, "product_reference": "dovecot-pgsql-1:2.2.36-8.el7.x86_64", "relates_to_product_reference": "Red-Hat-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33603", "cwe": { "id": "CWE-99", "name": "Improper Control of Resource Identifiers ('Resource Injection')" }, "notes": [ { "category": "description", "text": "Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Red-Hat-7:dovecot-1:2.2.36-8.el7.i686", "Red-Hat-7:dovecot-1:2.2.36-8.el7.tuxcare.els1.i686", "Red-Hat-7:dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-1:2.2.36-8.el7.x86_64", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.i686", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.x86_64", "Red-Hat-7:dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-mysql-1:2.2.36-8.el7.x86_64", "Red-Hat-7:dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-pgsql-1:2.2.36-8.el7.x86_64", "Red-Hat-7:dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-pigeonhole-1:2.2.36-8.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-33603" }, { "category": "external", "summary": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json", "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json" } ], "release_date": "2026-05-12T14:17:00Z", "remediations": [ { "category": "no_fix_planned", "date": "2026-05-19T17:38:36.053004Z", "details": "Deprioritize this issue because exploitation requires an active on‑path attacker on the same network segment to successfully intercept the client–server SASL flow and craft a specific exchange, and it only undermines SCRAM channel binding rather than breaking TLS itself—clients that validate the server certificate are not trivially susceptible to MITM. The stated vector (Adjacent) and high attack complexity, combined with no integrity or availability impact, confine the risk to potential exposure of in‑transit mail data rather than server compromise. Additionally, only deployments that actually negotiate SCRAM “-PLUS” (channel‑binding) mechanisms are affected, which further limits practical exposure in centrally managed server/VM environments.", "product_ids": [ "Red-Hat-7:dovecot-1:2.2.36-8.el7.i686", "Red-Hat-7:dovecot-1:2.2.36-8.el7.tuxcare.els1.i686", "Red-Hat-7:dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-1:2.2.36-8.el7.x86_64", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.i686", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.x86_64", "Red-Hat-7:dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-mysql-1:2.2.36-8.el7.x86_64", "Red-Hat-7:dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-pgsql-1:2.2.36-8.el7.x86_64", "Red-Hat-7:dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-pigeonhole-1:2.2.36-8.el7.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Red-Hat-7:dovecot-1:2.2.36-8.el7.i686", "Red-Hat-7:dovecot-1:2.2.36-8.el7.tuxcare.els1.i686", "Red-Hat-7:dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-1:2.2.36-8.el7.x86_64", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.i686", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.x86_64", "Red-Hat-7:dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-mysql-1:2.2.36-8.el7.x86_64", "Red-Hat-7:dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-pgsql-1:2.2.36-8.el7.x86_64", "Red-Hat-7:dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-pigeonhole-1:2.2.36-8.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }