Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Exim 4.88 before 4.99.4, in some proxy configurations, mishandles certain short payloads, leading to disclosure of uninitialized stack memory values to a client.
AnalysisAI
Uninitialized stack memory disclosure in Exim 4.88 through 4.99.3 allows remote unauthenticated attackers to read arbitrary stack memory contents by sending specially crafted short payloads to proxy-enabled SMTP listeners. The vulnerability is constrained to proxy configurations but requires no authentication and no user interaction (AV:N/AC:L/PR:N/UI:N), making it trivially reachable against exposed instances. No public exploit code or CISA KEV listing exists at time of analysis, and a vendor-released fix is available in Exim 4.99.4.
Technical ContextAI
Exim is one of the most widely deployed open-source mail transfer agents, commonly used on Debian-based Linux systems. The affected code path involves proxy protocol handling - a feature that allows upstream load balancers or reverse proxies to pass original client connection metadata (e.g., source IP) to Exim via PROXY protocol headers. The root cause is CWE-839 (Numeric Range Comparison Without Minimum Check): Exim validates that incoming payload lengths do not exceed a maximum threshold but fails to enforce a minimum bound. When a client supplies a payload shorter than the expected minimum, Exim proceeds to read beyond the valid data into uninitialized stack memory and returns those bytes to the client. The affected product scope per CPE is cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*, spanning versions 4.88 up to (not including) 4.99.4. Debian tracks this across 9 releases and has issued DSA-6309-1.
RemediationAI
Vendor-released patch: Exim 4.99.4. Upgrade immediately by following the Exim vendor security advisory at https://exim.org/static/doc/security/EXIM-Security-2026-05-19.1. Debian users should apply DSA-6309-1 via 'apt-get update && apt-get upgrade exim4' - this is the recommended path for Debian stable and derivatives. If immediate patching is not operationally feasible and the proxy protocol feature is not required by upstream infrastructure, disabling Exim's proxy protocol support eliminates the vulnerable code path entirely; note that this will break PROXY protocol-based client IP preservation from upstream load balancers, which may affect logging accuracy, access controls, or SPF evaluation depending on the deployment. As an additional network-layer control, restricting TCP 25 access to only trusted proxy source IPs via firewall rules limits attacker reachability but does not remediate the vulnerability if a trusted proxy is itself compromised or if internal attackers are a concern.
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitr
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial
Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument. Rat
Exim mail server version 4.98 before 4.98.1 contains a remote SQL injection vulnerability when SQLite hints and ETRN ser
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Rated critical severity (CVSS 9.8), this vulnerability is re
Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM suppor
Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. Rated critical sev
An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. Rated critical severity (CVS
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attacke
Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_mall
Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass
Same technique Information Disclosure
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 4.94.2-7+deb11u3 | - |
| bullseye (security) | vulnerable | 4.94.2-7+deb11u5 | - |
| bookworm | fixed | 4.96-15+deb12u10 | - |
| bookworm (security) | fixed | 4.96-15+deb12u10 | - |
| trixie | fixed | 4.98.2-1+deb13u3 | - |
| trixie (security) | fixed | 4.98.2-1+deb13u3 | - |
| forky | vulnerable | 4.99.3-1 | - |
| sid | fixed | 4.99.3-2 | - |
| (unstable) | fixed | 4.99.3-2 | - |
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33446
GHSA-wgrp-2w9f-fmvg