The Exim development team has released a high-priority security update, version 4.99.2, to address four newly discovered vulnerabilities that threaten the stability and security of the internet’s most popular mail transfer agent.
These flaws allow remote attackers to crash mail server connections, corrupt memory, or leak sensitive system data. Because email servers are exposed to the public internet by design, they are prime targets for automated scanners looking to weaponize these vulnerabilities. +1
Breakdown of the Discovered Vulnerabilities
The update addresses four distinct Common Vulnerabilities and Exposures (CVEs) centered around how Exim processes external inputs like DNS records and email headers.
| CVE ID | Impact | Technical Root Cause |
|---|---|---|
| CVE-2026-40684 | Denial of Service | Malicious DNS PTR records trigger an octal printing error on systems using musl libc (common in Alpine Linux), causing a total crash. |
| CVE-2026-40685 | Heap Corruption | Out-of-bounds read/write occurs when processing corrupted JSON data in headers using JSON operators. |
| CVE-2026-40686 | Information Leak | Large UTF-8 trailing characters in headers trigger out-of-bounds reads, potentially leaking memory data in error messages. |
| CVE-2026-40687 | Memory Disclosure | A flaw in the SPA authenticator allows compromised external SPA/NTLM services to crash the instance or leak heap memory. |
Export to Sheets
The “musl” Factor: A Specialized Crash
While many Linux servers use the glibc library, CVE-2026-40684 highlights a dangerous edge case for those using the musl C library (often found in lightweight Docker containers and Alpine Linux distributions).
Attackers can provide a malformed DNS record that, when processed by Exim, causes the specific connection instance to crash immediately. This “DNS-to-DoS” path is particularly effective because it requires no direct login or authentication—the server crashes just by trying to look up who is connecting to it.
Why These Flaws Matter: The Memory Battle
The other three vulnerabilities (CVE-2026-40685, -86, and -87) involve Out-of-Bounds (OOB) operations. When a program tries to read or write data outside its assigned memory “box,” two things happen:
- Crashes: The system detects the violation and shuts down the process (Denial of Service).
- Data Theft: An attacker carefully manipulates the OOB read to “peer” into adjacent memory segments, which may contain sensitive configuration data or credentials from other emails currently in transit.
Mitigation: Update or Risk Permanent Exposure
The Exim team has stated that older versions are no longer actively maintained. This means if you are not running the 4.99 branch, your mail server could remain permanently vulnerable to these exploits. +1
Immediate Actions for Administrators:
- Upgrade to 4.99.2: This is the only definitive fix. Download the latest source from the official Exim FTP or pull the
exim-4.99.2tag from the Git repository. - Check Your C Library: If your mail server runs on Alpine Linux or another
musl-based distro, prioritize the patch to prevent the DNS-related crash. - Review Configurations: If your server uses JSON operators or SPA/NTLM authentication drivers, you are at an elevated risk and should rotate sensitive service keys after patching.
