Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
6DescriptionCVE.org
In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.
AnalysisAI
Out-of-bounds write in Exim before 4.99.2 SPA authentication driver allows remote attackers to crash the mail server connection or leak uninitialized heap memory when processing adversarial SPA authentication resources, affecting confidentiality and availability of the mail service.
Technical ContextAI
Exim's SPA (Simple Password Authentication) driver contains a buffer handling flaw (CWE-909: Missing Initialization with Hard-Coded Network Resource Configuration) when parsing SPA authentication protocol messages from remote clients. The vulnerability manifests as either an out-of-bounds write that terminates the SMTP connection or memory disclosure from uninitialized heap regions. The SPA driver is a pluggable authentication mechanism within Exim's SMTP server, making this remotely exploitable without prior authentication to the mail system.
RemediationAI
Upgrade Exim to version 4.99.2 or later, which contains the fix confirmed in the upstream commit 68b963b9f75ca27b38e1c0f8c87037990199f505 (https://code.exim.org/exim/exim/commit/68b963b9f75ca27b38e1c0f8c87037990199f505). If immediate patching is not feasible, disable the SPA authentication driver in exim.conf by removing or commenting out any SPA driver configuration in the authenticators section. This eliminates the attack surface but may require alternative authentication methods (e.g., PLAIN, LOGIN, CRAM-MD5) if SPA is relied upon by specific clients. Verify SPA is not in use before disabling it to avoid breaking legitimate authentication workflows. Consult https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40687.assessment for deployment-specific guidance.
Same weakness CWE-909 – Missing Initialization of Resource
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26445