Skip to main content

Exim Mail Server CVE-2026-40684

| EUVDEUVD-2026-26442 MEDIUM
Incorrect Provision of Specified Functionality (CWE-684)
2026-04-30 mitre
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Patch released
May 01, 2026 - 18:16 nvd
Patch available
Patch available
Apr 30, 2026 - 23:02 EUVD
Analysis Generated
Apr 30, 2026 - 22:00 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 21:45 euvd
EUVD-2026-26442
Analysis Generated
Apr 30, 2026 - 21:45 vuln.today
CVE Published
Apr 30, 2026 - 00:00 nvd
MEDIUM 5.9

DescriptionCVE.org

In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.

AnalysisAI

Denial of service in Exim before 4.99.2 on musl libc systems allows remote attackers to crash mail server connection instances by sending malformed DNS PTR records that trigger an octal printing bug in the dn_expand function. The vulnerability requires high network complexity to exploit but results in service unavailability for affected connections. No patch version confirmation available from provided references.

Technical ContextAI

Exim is a widely-deployed mail transfer agent (MTA) that processes incoming mail connections and performs DNS lookups, including reverse DNS (PTR) queries for sender verification. The vulnerability exists in how Exim handles DNS response parsing on systems using musl libc rather than glibc. The musl C library implements dn_expand (a DNS name decompression function) differently, and when processing malformed or maliciously crafted PTR records, an edge case in octal character printing causes memory corruption or buffer issues that crash the connection handler. CWE-684 (Incorrect Provision of Specified Functionality) indicates the root cause is improper handling of the DNS parsing output under musl-specific conditions.

RemediationAI

Upgrade Exim to version 4.99.2 or later, which corrects the octal printing handling in DNS response parsing. For systems unable to immediately patch, restrict inbound SMTP connections to trusted networks or implement rate-limiting on connection attempts to reduce the window for exploitation. Alternative mitigations include disabling PTR lookups in Exim's configuration (set 'host_lookup = no' in main config section) if not required for your mail policy, though this may impact sender verification and reputation checks. Organizations using Alpine Linux or musl-based Exim containers should prioritize patching through package manager updates or rebuilding container images with Exim 4.99.2. Monitor Exim logs for connection crashes and correlate with DNS lookup activity. Note: disabling PTR lookups may reduce security visibility; verify this aligns with your authentication and reputation framework before deploying.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-40684 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy