CVE-2026-48840

Published May 30, 2026

Last updated 20 days ago

CVSS medium 5.3

Overview

Description
Exim 4.88 before 4.99.4, in some proxy configurations, mishandles certain short payloads, leading to disclosure of uninitialized stack memory values to a client.
Source
cve@mitre.org
NVD status
Modified
Products
exim

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.3
Impact score
1.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity
MEDIUM

Weaknesses

cve@mitre.org
CWE-839

Social media

Hype score
Not currently trending

  1. 🚨*CVE* CVE-2026-48840 Exim 4.88 before 4.99.4, in some proxy configurations, mishandles certain short payloads, leading to disclosure of uninitialized stack memory values to a client. https://t.co/jztOvDb6O4 ----- Traducción: CVE-2026-48840 Exim 4.88 … https://t.co/utmtNgl

    @infoflowcloud

    30 May 2026

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2026-48840: Exim: PROXY-protocol uninitialised-stack information disclosure. The leaked bytes are confirmed to be live userspace VA pointers, making this an ASLR-defeat primitive usable as a chain component. Fixed in 4.99.4. https://t.co/XXwJxdi063 https://t.co/6FnuYNlKE1

    @sin99xx

    30 May 2026

    31 Impressions

    3 Retweets

    3 Likes

    3 Bookmarks

    0 Replies

    2 Quotes

  3. CVE-2026-48840 CVE-2026-48840 https://t.co/HMZtp1rqGD

    @VulmonFeeds

    29 May 2026

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.CVE-2026-45185
  2. In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.CVE-2026-40687
  3. In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping.CVE-2026-40685
  4. In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing characters are present (malformed UTF-8 header data). Information might be divulged within an error message produced during handling of an unrelated e-mail message.CVE-2026-40686
  5. In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.CVE-2026-40684

References

Sources include official advisories and independent security research.