Skip to main content

Exim CVE-2026-40685

| EUVDEUVD-2026-26443 MEDIUM
Incorrect Provision of Specified Functionality (CWE-684)
2026-04-30 mitre
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

6
Patch released
May 01, 2026 - 17:51 nvd
Patch available
Patch available
Apr 30, 2026 - 23:02 EUVD
Analysis Generated
Apr 30, 2026 - 22:00 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 21:45 euvd
EUVD-2026-26443
Analysis Generated
Apr 30, 2026 - 21:45 vuln.today
CVE Published
Apr 30, 2026 - 00:00 nvd
MEDIUM 6.5

DescriptionCVE.org

In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping.

AnalysisAI

Out-of-bounds heap write in Exim before 4.99.2 allows unauthenticated remote attackers to cause denial of service and potentially corrupt memory when the JSON lookup feature is enabled and malformed JSON is present in untrusted email headers, due to incorrect backslash escape sequence handling in the JSON operator.

Technical ContextAI

Exim is a mail transport agent (MTA) that processes email headers and message content. The vulnerability exists in Exim's JSON lookup functionality, which parses JSON-formatted data within email processing contexts. The root cause (CWE-684: Incorrect Type Conversion or Cast) stems from improper implementation of backslash escape sequence skipping in the JSON operator-specifically, the parser fails to correctly handle malformed escape sequences, leading to out-of-bounds writes into heap memory. When JSON lookup is enabled and an untrusted email header contains specially crafted malformed JSON, the parser writes beyond allocated buffer boundaries, corrupting heap structures. The vulnerability is triggered during mail message processing, a network-facing operation in typical MTA deployments.

RemediationAI

Upgrade Exim to version 4.99.2 or later to apply the vendor-released patch. The upstream fix is confirmed by commit 9fdc057e71b87c87a0d3d2288b2810a0efaaba57 in the Exim repository. For organizations unable to patch immediately, the primary mitigation is to disable the JSON lookup feature in the Exim configuration file unless it is actively required for mail processing logic-edit the configuration to remove or comment out JSON lookup operators and restart the service. As a compensating control, restrict email routing through the vulnerable server to trusted internal sources only and implement strict rate-limiting on mail submission ports to reduce exposure window. However, these controls do not eliminate the vulnerability if JSON lookup remains enabled. Detailed assessment and patch availability information is available at https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40685.assessment and the Exim security advisory at https://exim.org/static/doc/security/CVE-2025-40685.txt.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-40685 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy