The developers of the widely deployed Exim mail transfer agent have officially released version 4.99.2, addressing four newly discovered security vulnerabilities that could allow remote attackers to crash server connections, corrupt memory heaps, or leak sensitive system data.
Mail server administrators are strongly urged to apply the update immediately to protect their email infrastructure. Security patches were initially shared with Linux distribution maintainers on April 24, 2026, with the formal release following on April 29.
Although the public announcement experienced a brief delay across broader security mailing lists, the Exim development team has since made the patched source code widely available through official project channels.
As one of the most popular message transfer agents (MTAs) for Unix-like operating systems, Exim handles enormous volumes of unverified external data, making it a prime target for input validation exploits.
When processing incoming messages, Exim must safely parse complex components, including domain names, email headers, and authentication requests.
Failure to properly sanitize these inputs allows attackers to craft malicious payloads that exploit the server’s underlying memory management mechanisms.
Critical Exim Mail Server Flaws
Security researchers identified four distinct CVEs affecting versions before 4.99.2:
- CVE-2026-40684 — A potential crash triggered by malicious DNS data within PTR records, specifically impacting systems using musl libc instead of glibc due to an octal printing error
- CVE-2026-40685 — Out-of-bounds read and write operations when processing corrupt JSON data in email headers, capable of directly triggering heap corruption
- CVE-2026-40686 — An out-of-bounds read caused by oversized UTF-8 trailing characters in headers, potentially leaking data through error messages generated during subsequent emails in the same connection
- CVE-2026-40687 — Out-of-bounds read and write vulnerability in the SPA authentication driver, enabling a hostile external connection to crash the Exim instance or expose heap data
The primary threats posed by these vulnerabilities include denial-of-service through unexpected connection crashes and unintended memory exposure.
Attackers sending specially crafted headers or malicious DNS responses could effectively turn off a network’s mail processing capabilities.
Environments that leverage external JSON operators or SPA/NTLM authenticators face a heightened exploitation risk from CVE-2026-40685 and CVE-2026-40687 specifically.
System administrators must upgrade to Exim 4.99.2 via official project channels without delay. The Exim maintainers have explicitly noted that older versions are no longer actively maintained, meaning organizations running legacy deployments may remain permanently exposed if they fail to migrate. Updated release files and verified Git repository tags are currently live on the official Exim infrastructure.
No Comment! Be the first one.