CVE-2026-40685

Published Apr 30, 2026

Last updated 7 days ago

CVSS medium 6.5

Overview

Description
In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping.
Source
cve@mitre.org
NVD status
Analyzed
Products
exim

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

cve@mitre.org
CWE-684
nvd@nist.gov
CWE-787

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.CVE-2026-40687
  2. In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing characters are present (malformed UTF-8 header data). Information might be divulged within an error message produced during handling of an unrelated e-mail message.CVE-2026-40686
  3. In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.CVE-2026-40684
  4. Exim before 4.99.1, with certain non-default rate-limit configurations, allows a remote heap-based buffer overflow because database records are cast directly to internal structures without validation.CVE-2025-67896
  5. A use-after-free in Exim 4.96 through 4.98.1 could allow users (with command-line access) to escalate privileges.CVE-2025-30232

References

Sources include official advisories and independent security research.