Skip to main content

Exim CVE-2026-40686

| EUVDEUVD-2026-26444 LOW
Out-of-bounds Read (CWE-125)
2026-04-30 mitre
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
May 01, 2026 - 17:44 nvd
Patch available
Patch available
Apr 30, 2026 - 23:02 EUVD
Analysis Generated
Apr 30, 2026 - 22:00 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 21:45 euvd
EUVD-2026-26444
Analysis Generated
Apr 30, 2026 - 21:45 vuln.today
CVE Published
Apr 30, 2026 - 00:00 nvd
LOW 3.7

DescriptionCVE.org

In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing characters are present (malformed UTF-8 header data). Information might be divulged within an error message produced during handling of an unrelated e-mail message.

AnalysisAI

Out-of-bounds read in Exim before 4.99.2 when UTF-8 operators are enabled allows remote unauthenticated attackers to leak sensitive information through error messages by sending email with malformed UTF-8 trailing characters in headers. The vulnerability has high attack complexity due to the requirement for UTF-8 operator enablement and specific malformed input crafting, but requires no user interaction and operates over the network on default deployments.

Technical ContextAI

Exim is a message transfer agent (MTA) that processes email headers and body content. The vulnerability resides in the UTF-8 operator handling code when processing email headers containing malformed UTF-8 sequences, specifically oversized trailing characters that exceed buffer boundaries. CWE-125 (Out-of-bounds Read) indicates the UTF-8 parsing logic fails to validate character boundaries before accessing memory, allowing the parser to read beyond allocated buffer regions. The affected CPE cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:* confirms all Exim versions prior to 4.99.2 are vulnerable when the UTF-8 operator feature is active.

RemediationAI

Upgrade Exim to version 4.99.2 or later as the primary remediation. The upstream fix is available via commit f2570bde16fb4d4a1242ff363a4c4eecf6372efc in the Exim code repository. For deployments unable to immediately upgrade, disable UTF-8 operator functionality if operationally feasible-review the Exim configuration to disable any utf8 operators in ACLs, string expansions, or header processing rules. This workaround eliminates the attack surface but may impact email processing for non-ASCII headers; verify compatibility with organizational requirements before implementation. Consult https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40686.assessment for vendor assessment details and patch availability timelines.

More in Exim

View all
CVE-2017-16943 CRITICAL POC
9.8 Nov 25

The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitr

CVE-2017-16944 HIGH POC
7.5 Nov 25

The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial

CVE-2016-1531 HIGH POC
7.0 Apr 07

Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument. Rat

CVE-2025-26794 HIGH
7.5 Feb 21

Exim mail server version 4.98 before 4.98.1 contains a remote SQL injection vulnerability when SQLite hints and ETRN ser

CVE-2019-10149 CRITICAL POC
9.8 Jun 05

A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2012-5671 MEDIUM
6.8 Oct 31

Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM suppor

CVE-2022-37452 CRITICAL POC
9.8 Aug 07

Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name

CVE-2019-16928 CRITICAL POC
9.8 Sep 27

Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. Rated critical sev

CVE-2018-6789 CRITICAL POC
9.8 Feb 08

An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. Rated critical severity (CVS

CVE-2020-8015 HIGH POC
7.8 Apr 02

A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attacke

CVE-2022-37451 HIGH POC
7.5 Aug 06

Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_mall

CVE-2020-12783 HIGH POC
7.5 May 11

Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass

Share

CVE-2026-40686 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy