Skip to main content

Exim EUVDEUVD-2026-26445

| CVE-2026-40687 MEDIUM
Missing Initialization of Resource (CWE-909)
2026-04-30 mitre
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
May 01, 2026 - 19:17 nvd
Patch available
Patch available
Apr 30, 2026 - 23:02 EUVD
Analysis Generated
Apr 30, 2026 - 22:01 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 21:45 euvd
EUVD-2026-26445
Analysis Generated
Apr 30, 2026 - 21:45 vuln.today
CVE Published
Apr 30, 2026 - 00:00 nvd
MEDIUM 4.8

DescriptionCVE.org

In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.

AnalysisAI

Out-of-bounds write in Exim before 4.99.2 SPA authentication driver allows remote attackers to crash the mail server connection or leak uninitialized heap memory when processing adversarial SPA authentication resources, affecting confidentiality and availability of the mail service.

Technical ContextAI

Exim's SPA (Simple Password Authentication) driver contains a buffer handling flaw (CWE-909: Missing Initialization with Hard-Coded Network Resource Configuration) when parsing SPA authentication protocol messages from remote clients. The vulnerability manifests as either an out-of-bounds write that terminates the SMTP connection or memory disclosure from uninitialized heap regions. The SPA driver is a pluggable authentication mechanism within Exim's SMTP server, making this remotely exploitable without prior authentication to the mail system.

RemediationAI

Upgrade Exim to version 4.99.2 or later, which contains the fix confirmed in the upstream commit 68b963b9f75ca27b38e1c0f8c87037990199f505 (https://code.exim.org/exim/exim/commit/68b963b9f75ca27b38e1c0f8c87037990199f505). If immediate patching is not feasible, disable the SPA authentication driver in exim.conf by removing or commenting out any SPA driver configuration in the authenticators section. This eliminates the attack surface but may require alternative authentication methods (e.g., PLAIN, LOGIN, CRAM-MD5) if SPA is relied upon by specific clients. Verify SPA is not in use before disabling it to avoid breaking legitimate authentication workflows. Consult https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40687.assessment for deployment-specific guidance.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-26445 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy