Exim, one of the most widely deployed mail transfer agents on the internet, has released version 4.99.2, a critical security update patching four newly disclosed CVEs affecting DNS processing, JSON header parsing, UTF-8 handling, and SPA authentication. System administrators running any prior Exim version should treat this as an urgent upgrade with no available workarounds.
Exim is a free, open-source Message Transfer Agent (MTA) originally developed at the University of Cambridge in 1995 and released under the GNU General Public License. It serves as the backbone email routing software for Unix-like systems globally.
A Shodan scan previously revealed over 3.5 million Exim servers exposed directly to the internet, making any security flaw in Exim an immediate concern for a substantial portion of the world’s email infrastructure.
On April 29, 2026, the Exim team published version 4.99.2 as a dedicated security release, disclosed through the exim-announce mailing list and subsequently forwarded to the oss-security list by Solar Designer of Openwall.
The release was coordinated with Linux distributions via a private pre-notification on April 24, 2026, before the public release. All previous versions of Exim are now considered obsolete. The four patched vulnerabilities span memory corruption, heap OOB write, data leak, and denial-of-service primitives, all reachable through externally controlled input.
CVE-2026-40684 – DNS PTR Record Crash on musl libc
CVE-2026-40684 is a Denial-of-Service vulnerability affecting Exim instances running on systems using musl libc rather than glibc. The flaw stems from an oddity in octal printing inside dn_expand() when processing PTR records containing malformed DNS data.
An attacker with the ability to inject or poison DNS PTR responses can crash the active connection instance, disrupting mail delivery. Notably, this vulnerability does not affect systems using the standard glibc implementation, making it a targeted risk for Alpine Linux and other musl-based distributions commonly used in containerized deployments.
CVE-2026-40685 – OOB Heap Write via Malformed JSON Headers
CVE-2026-40685 is a medium-severity memory corruption vulnerability (CVSS 6.5) triggered when Exim configurations use JSON operators on externally-provided, malformed input. An out-of-bounds heap write occurs due to the incorrect implementation of backslash (\) character skipping in JSON parsing logic.
Any attacker capable of injecting crafted headers into a message processed by a JSON-enabled Exim configuration can trigger heap corruption, potentially leading to process crashes or, in more advanced exploitation scenarios, arbitrary code execution. Administrators using json lookup operators in their ACL or router configurations are directly exposed.
CVE-2026-40686 – OOB Read with Malformed UTF-8 Headers
CVE-2026-40686 affects Exim deployments that enable UTF-8 headers and processing operators. When Exim encounters malformed UTF-8 sequences, specifically oversized trailing characters in email headers, the UTF-8 operator can trigger an out-of-bounds read in heap memory.
What elevates this beyond a simple crash flaw is the potential for a data leak. If error messages are generated for subsequent emails within the same SMTP connection while similar malformed headers are present, previously read heap contents could be disclosed to an external party. This class of memory disclosure is a known precursor technique to more sophisticated chained exploits.
CVE-2026-40687 – OOB Read/Write in SPA/NTLM Authenticator
CVE-2026-40687 is arguably the most operationally dangerous of the four for organizations that authenticate outbound mail relays using SPA (Secure Password Authentication) or NTLM-compatible authentication drivers.
When Exim uses the SPA authentication driver against a hostile or compromised external SPA/NTLM endpoint, an adversary can induce an out-of-bounds read/write that either crashes the connection instance or leaks uninitialized heap memory to the remote party.
This attack vector is particularly relevant in enterprise mail relay chains where Exim authenticates to Microsoft Exchange or legacy NTLM-speaking relays, a common configuration in hybrid environments.
| CVE | Type | Trigger Vector | Impact | Affected Config |
|---|---|---|---|---|
| CVE-2026-40684 | DoS / Crash | Malicious DNS PTR record | Connection crash | musl libc systems only |
| CVE-2026-40685 | OOB Heap Write | Malformed JSON in header | Heap corruption / potential RCE | JSON operators enabled |
| CVE-2026-40686 | OOB Read / Data Leak | Malformed UTF-8 in header | Memory disclosure | UTF-8 operators enabled |
| CVE-2026-40687 | OOB Read/Write | Hostile SPA/NTLM endpoint | Crash / heap data leak | SPA authenticator in use |
How to Update Exim
Exim 4.99.2 is immediately available through the following channels:
- FTP tarball:
https://ftp.exim.org/pub/exim/exim4/ - Git release:
https://code.exim.org/exim/exim/releases(tag:exim-4.99.2) - Direct Git clone:
https://code.exim.org/exim/exim - Package managers: Debian and Ubuntu package maintainers have been notified; monitor
exim4package updates viaapt
Administrators should verify the installed version with exim --version and immediately upgrade if running any version before 4.99.2. There are no announced mitigations or workarounds; the fix is the upgrade.
Sophisticated threat actors have actively exploited Exim’s attack surface for years. The NSA publicly attributed the exploitation of an Exim RCE vulnerability (CVE-2019-10149) to Russia’s Sandworm APT group, which used it to maintain persistent access to internet-facing mail servers.
More recently, CVE-2025-67896, a critical (CVSS 9.8) heap-based buffer overflow, affected Exim versions before 4.99.1 and could allow remote code execution via malformed rate-limit database records. The pattern is consistent: Exim vulnerabilities attract rapid, real-world exploitation, and delayed patching routinely leads to mass compromise events.
Mitigation
- Immediately upgrade all Exim instances to version 4.99.2
- Audit ACL configurations for active use of
json,utf8, and SPA authentication operators to assess direct exposure - Restrict inbound SMTP to trusted sources where operationally feasible
- Monitor DNS resolvers for signs of PTR record poisoning on musl libc-based deployments
- Review outbound relay configurations that use NTLM/SPA authentication chains to external mail servers
FAQ
Q1: Are all Exim versions before 4.99.2 vulnerable to these four CVEs?
Yes, the Exim team confirms all prior versions are potentially affected and are no longer actively maintained, making 4.99.2 the only supported secure release.
Q2: Can CVE-2026-40684 be exploited remotely without DNS poisoning capabilities?
No, an attacker must control or poison DNS PTR responses to deliver the malformed data that triggers the musl libc crash.
Q3: Does CVE-2026-40685 or CVE-2026-40686 require a non-default Exim configuration?
Yes, both flaws require that JSON or UTF-8 operators be explicitly enabled in the Exim configuration, which are non-default features.
Q4: Is there evidence of active exploitation of these four CVEs in the wild?
As of April 29, 2026, the release date, no public proof-of-concept or active exploitation has been confirmed, but Exim flaws have historically attracted rapid attention from threat actors.
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
