Email

On May 4, 2026, Wietse Venema released Postfix 3.11.2, 3.10.9, 3.9.10, and 3.8.16. If you run a mail server, this is the update you actually want to read — not because the CVSS score is alarming (it isn’t), but because one of the bugs patched in this release has been sitting in the codebase since 2005. The CVE Worth Knowing About CVE-2026-43964 is an off-by-one error in how Postfix handles enhanced status codes. If an SMTP access table, policy server, DNSBL response, or milter returns a bare status code — something like 5.7.2 without any text following it — the daemon reads past the end of the allocated buffer. The result is a process crash. ...

In late March, the Dovecot team published advisory OXDC-ADV-2026-0001 — a bundle of eight CVEs covering everything from pre-authentication path traversal to SQL injection to multiple denial-of-service vectors. If Dovecot is the IMAP daemon on your mail server (it almost certainly is), this deserves your attention. Here is a breakdown of what matters, in roughly descending order of alarm. The Serious Ones CVE-2026-24031 — SQL injection auth bypass (CVSS 7.7, HIGH) ...