{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/rhel7els/vex/2026/cve-2026-42006-els_os-rhel7els.json" } ], "tracking": { "current_release_date": "2026-05-22T16:07:01Z", "generator": { "date": "2026-05-22T16:07:01Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2026-42006-ELS_OS-RHEL7ELS", "initial_release_date": "2026-05-12T14:17:00Z", "revision_history": [ { "date": "2026-05-12T14:17:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-05-22T16:07:01Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Security update on CVE-2026-42006" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux 7", "product": { "name": "Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7", "product_identification_helper": { "cpe": "cpe:2.3:o:redhat:enterprise_linux:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "dovecot-1:2.2.36-8.el7.tuxcare.els1.i686", "product": { "name": "dovecot-1:2.2.36-8.el7.tuxcare.els1.i686", "product_id": "dovecot-1:2.2.36-8.el7.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot@2.2.36-8.el7.tuxcare.els1?arch=i686&epoch=1" } } }, { "category": "product_version", "name": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686", "product": { "name": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686", "product_id": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot-devel@2.2.36-8.el7.tuxcare.els1?arch=i686&epoch=1" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product": { "name": "dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_id": "dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot@2.2.36-8.el7.tuxcare.els1?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product": { "name": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_id": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot-devel@2.2.36-8.el7.tuxcare.els1?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product": { "name": "dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_id": "dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot-mysql@2.2.36-8.el7.tuxcare.els1?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product": { "name": "dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_id": "dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot-pigeonhole@2.2.36-8.el7.tuxcare.els1?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product": { "name": "dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_id": "dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot-pgsql@2.2.36-8.el7.tuxcare.els1?arch=x86_64&epoch=1" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "dovecot-1:2.2.36-8.el7.tuxcare.els1.i686 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-1:2.2.36-8.el7.tuxcare.els1.i686" }, "product_reference": "dovecot-1:2.2.36-8.el7.tuxcare.els1.i686", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64" }, "product_reference": "dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686" }, "product_reference": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64" }, "product_reference": "dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64" }, "product_reference": "dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64" }, "product_reference": "dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64" }, "product_reference": "dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "Red-Hat-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-42006", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.", "title": "Vulnerability description" }, { "category": "other", "text": "TuxCare has assessed that this vulnerability does not impact any currently supported TuxCare products. This evaluation may change as new information becomes available. For additional details regarding this vulnerability and affected products, refer to the provided references.", "title": "Statement" } ], "product_status": { "known_not_affected": [ "Red-Hat-7:dovecot-1:2.2.36-8.el7.tuxcare.els1.i686", "Red-Hat-7:dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-42006" }, { "category": "external", "summary": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json", "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json" } ], "release_date": "2026-05-12T14:17:00Z", "threats": [ { "category": "impact", "details": "Moderate" }, { "category": "impact", "date": "2026-05-21T10:09:44.207180Z", "details": "unknown", "product_ids": [ "Red-Hat-7:dovecot-1:2.2.36-8.el7.tuxcare.els1.i686", "Red-Hat-7:dovecot-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.i686", "Red-Hat-7:dovecot-devel-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-mysql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-pgsql-1:2.2.36-8.el7.tuxcare.els1.x86_64", "Red-Hat-7:dovecot-pigeonhole-1:2.2.36-8.el7.tuxcare.els1.x86_64" ] } ] } ] }