Skip to main content

Exim MTA EUVDEUVD-2026-33446

| CVE-2026-48840 MEDIUM
Numeric Range Comparison Without Minimum Check (CWE-839)
2026-05-30 mitre GHSA-wgrp-2w9f-fmvg
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 30, 2026 - 02:26 vuln.today

DescriptionCVE.org

Exim 4.88 before 4.99.4, in some proxy configurations, mishandles certain short payloads, leading to disclosure of uninitialized stack memory values to a client.

AnalysisAI

Uninitialized stack memory disclosure in Exim 4.88 through 4.99.3 allows remote unauthenticated attackers to read arbitrary stack memory contents by sending specially crafted short payloads to proxy-enabled SMTP listeners. The vulnerability is constrained to proxy configurations but requires no authentication and no user interaction (AV:N/AC:L/PR:N/UI:N), making it trivially reachable against exposed instances. No public exploit code or CISA KEV listing exists at time of analysis, and a vendor-released fix is available in Exim 4.99.4.

Technical ContextAI

Exim is one of the most widely deployed open-source mail transfer agents, commonly used on Debian-based Linux systems. The affected code path involves proxy protocol handling - a feature that allows upstream load balancers or reverse proxies to pass original client connection metadata (e.g., source IP) to Exim via PROXY protocol headers. The root cause is CWE-839 (Numeric Range Comparison Without Minimum Check): Exim validates that incoming payload lengths do not exceed a maximum threshold but fails to enforce a minimum bound. When a client supplies a payload shorter than the expected minimum, Exim proceeds to read beyond the valid data into uninitialized stack memory and returns those bytes to the client. The affected product scope per CPE is cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*, spanning versions 4.88 up to (not including) 4.99.4. Debian tracks this across 9 releases and has issued DSA-6309-1.

RemediationAI

Vendor-released patch: Exim 4.99.4. Upgrade immediately by following the Exim vendor security advisory at https://exim.org/static/doc/security/EXIM-Security-2026-05-19.1. Debian users should apply DSA-6309-1 via 'apt-get update && apt-get upgrade exim4' - this is the recommended path for Debian stable and derivatives. If immediate patching is not operationally feasible and the proxy protocol feature is not required by upstream infrastructure, disabling Exim's proxy protocol support eliminates the vulnerable code path entirely; note that this will break PROXY protocol-based client IP preservation from upstream load balancers, which may affect logging accuracy, access controls, or SPF evaluation depending on the deployment. As an additional network-layer control, restricting TCP 25 access to only trusted proxy source IPs via firewall rules limits attacker reachability but does not remediate the vulnerability if a trusted proxy is itself compromised or if internal attackers are a concern.

More in Exim

View all
CVE-2017-16943 CRITICAL POC
9.8 Nov 25

The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitr

CVE-2017-16944 HIGH POC
7.5 Nov 25

The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial

CVE-2016-1531 HIGH POC
7.0 Apr 07

Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument. Rat

CVE-2025-26794 HIGH
7.5 Feb 21

Exim mail server version 4.98 before 4.98.1 contains a remote SQL injection vulnerability when SQLite hints and ETRN ser

CVE-2019-10149 CRITICAL POC
9.8 Jun 05

A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2012-5671 MEDIUM
6.8 Oct 31

Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM suppor

CVE-2022-37452 CRITICAL POC
9.8 Aug 07

Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name

CVE-2019-16928 CRITICAL POC
9.8 Sep 27

Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. Rated critical sev

CVE-2018-6789 CRITICAL POC
9.8 Feb 08

An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. Rated critical severity (CVS

CVE-2020-8015 HIGH POC
7.8 Apr 02

A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attacke

CVE-2022-37451 HIGH POC
7.5 Aug 06

Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_mall

CVE-2020-12783 HIGH POC
7.5 May 11

Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass

Vendor StatusVendor

Debian

exim4
Release Status Fixed Version Urgency
bullseye vulnerable 4.94.2-7+deb11u3 -
bullseye (security) vulnerable 4.94.2-7+deb11u5 -
bookworm fixed 4.96-15+deb12u10 -
bookworm (security) fixed 4.96-15+deb12u10 -
trixie fixed 4.98.2-1+deb13u3 -
trixie (security) fixed 4.98.2-1+deb13u3 -
forky vulnerable 4.99.3-1 -
sid fixed 4.99.3-2 -
(unstable) fixed 4.99.3-2 -

SUSE

Severity: Medium

Share

EUVD-2026-33446 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy