ALAS2023-2026-1570

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1570
Advisory Released Date: 2026-04-13
Advisory Updated Date: 2026-04-13

Severity: Important

References: CVE-2026-27856 CVE-2026-27857 CVE-2026-27858
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port, install fixed version. No publicly available exploits are known. (CVE-2026-27856)

Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known. (CVE-2026-27857)

Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory.
Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known. (CVE-2026-27858)

Affected Packages:

dovecot

Issue Correction:
Run dnf update dovecot --releasever 2023.11.20260413 or dnf update --advisory ALAS2023-2026-1570 --releasever 2023.11.20260413 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    dovecot-mysql-debuginfo-2.3.20-1.amzn2023.0.3.aarch64
    dovecot-pgsql-debuginfo-2.3.20-1.amzn2023.0.3.aarch64
    dovecot-pigeonhole-debuginfo-2.3.20-1.amzn2023.0.3.aarch64
    dovecot-pgsql-2.3.20-1.amzn2023.0.3.aarch64
    dovecot-mysql-2.3.20-1.amzn2023.0.3.aarch64
    dovecot-pigeonhole-2.3.20-1.amzn2023.0.3.aarch64
    dovecot-devel-2.3.20-1.amzn2023.0.3.aarch64
    dovecot-debuginfo-2.3.20-1.amzn2023.0.3.aarch64
    dovecot-2.3.20-1.amzn2023.0.3.aarch64
    dovecot-debugsource-2.3.20-1.amzn2023.0.3.aarch64

src:
    dovecot-2.3.20-1.amzn2023.0.3.src

x86_64:
    dovecot-pgsql-debuginfo-2.3.20-1.amzn2023.0.3.x86_64
    dovecot-pigeonhole-debuginfo-2.3.20-1.amzn2023.0.3.x86_64
    dovecot-pgsql-2.3.20-1.amzn2023.0.3.x86_64
    dovecot-mysql-debuginfo-2.3.20-1.amzn2023.0.3.x86_64
    dovecot-mysql-2.3.20-1.amzn2023.0.3.x86_64
    dovecot-pigeonhole-2.3.20-1.amzn2023.0.3.x86_64
    dovecot-debuginfo-2.3.20-1.amzn2023.0.3.x86_64
    dovecot-devel-2.3.20-1.amzn2023.0.3.x86_64
    dovecot-2.3.20-1.amzn2023.0.3.x86_64
    dovecot-debugsource-2.3.20-1.amzn2023.0.3.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-27856, CVE-2026-27857, CVE-2026-27858

Mitre: CVE-2026-27856, CVE-2026-27857, CVE-2026-27858