ALAS2-2026-3252

Amazon Linux 2 Security Advisory: ALAS2-2026-3252
Advisory Released Date: 2026-04-30
Advisory Updated Date: 2026-04-30

Severity: Important

References: CVE-2026-27856 CVE-2026-27857
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port, install fixed version. No publicly available exploits are known. (CVE-2026-27856)

Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known. (CVE-2026-27857)

Affected Packages:

dovecot

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update dovecot or yum update --advisory ALAS2-2026-3252 to update your system.

New Packages:

aarch64:
    dovecot-2.2.36-6.amzn2.1.3.aarch64
    dovecot-pigeonhole-2.2.36-6.amzn2.1.3.aarch64
    dovecot-pgsql-2.2.36-6.amzn2.1.3.aarch64
    dovecot-mysql-2.2.36-6.amzn2.1.3.aarch64
    dovecot-devel-2.2.36-6.amzn2.1.3.aarch64
    dovecot-debuginfo-2.2.36-6.amzn2.1.3.aarch64

i686:
    dovecot-2.2.36-6.amzn2.1.3.i686
    dovecot-pigeonhole-2.2.36-6.amzn2.1.3.i686
    dovecot-pgsql-2.2.36-6.amzn2.1.3.i686
    dovecot-mysql-2.2.36-6.amzn2.1.3.i686
    dovecot-devel-2.2.36-6.amzn2.1.3.i686
    dovecot-debuginfo-2.2.36-6.amzn2.1.3.i686

src:
    dovecot-2.2.36-6.amzn2.1.3.src

x86_64:
    dovecot-2.2.36-6.amzn2.1.3.x86_64
    dovecot-pigeonhole-2.2.36-6.amzn2.1.3.x86_64
    dovecot-pgsql-2.2.36-6.amzn2.1.3.x86_64
    dovecot-mysql-2.2.36-6.amzn2.1.3.x86_64
    dovecot-devel-2.2.36-6.amzn2.1.3.x86_64
    dovecot-debuginfo-2.2.36-6.amzn2.1.3.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2026-27856, CVE-2026-27857

Mitre: CVE-2026-27856, CVE-2026-27857