Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
6DescriptionCVE.org
In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing characters are present (malformed UTF-8 header data). Information might be divulged within an error message produced during handling of an unrelated e-mail message.
AnalysisAI
Out-of-bounds read in Exim before 4.99.2 when UTF-8 operators are enabled allows remote unauthenticated attackers to leak sensitive information through error messages by sending email with malformed UTF-8 trailing characters in headers. The vulnerability has high attack complexity due to the requirement for UTF-8 operator enablement and specific malformed input crafting, but requires no user interaction and operates over the network on default deployments.
Technical ContextAI
Exim is a message transfer agent (MTA) that processes email headers and body content. The vulnerability resides in the UTF-8 operator handling code when processing email headers containing malformed UTF-8 sequences, specifically oversized trailing characters that exceed buffer boundaries. CWE-125 (Out-of-bounds Read) indicates the UTF-8 parsing logic fails to validate character boundaries before accessing memory, allowing the parser to read beyond allocated buffer regions. The affected CPE cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:* confirms all Exim versions prior to 4.99.2 are vulnerable when the UTF-8 operator feature is active.
RemediationAI
Upgrade Exim to version 4.99.2 or later as the primary remediation. The upstream fix is available via commit f2570bde16fb4d4a1242ff363a4c4eecf6372efc in the Exim code repository. For deployments unable to immediately upgrade, disable UTF-8 operator functionality if operationally feasible-review the Exim configuration to disable any utf8 operators in ACLs, string expansions, or header processing rules. This workaround eliminates the attack surface but may impact email processing for non-ASCII headers; verify compatibility with organizational requirements before implementation. Consult https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40686.assessment for vendor assessment details and patch availability timelines.
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitr
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial
Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument. Rat
Exim mail server version 4.98 before 4.98.1 contains a remote SQL injection vulnerability when SQLite hints and ETRN ser
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Rated critical severity (CVSS 9.8), this vulnerability is re
Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM suppor
Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. Rated critical sev
An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. Rated critical severity (CVS
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attacke
Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_mall
Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26444