Description
In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.
Published: 2026-04-30
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Exim versions older than 4.99.2 on systems that use musl libc, a bug in the dn_expand function that handles octal printing can be triggered by malformed DNS data in PTR records. When such data is received, the program crashes the connection instance, causing a denial of service for that connection. The vulnerability does not enable code execution or data disclosure; it purely results in application instability.

Affected Systems

The issue affects the Exim mail transfer agent running on platforms that employ the musl libc implementation rather than the GNU libc. All Exim installations with a release prior to 4.99.2 that are built with musl are vulnerable. Exim 4.99.2 and later contain the fix, so upgrading is the recommended approach.

Risk and Exploitability

The CVSS base score of 5.9 indicates moderate severity. Because the exploit relies on crafted DNS PTR responses, an adversary could trigger the crash remotely if the mail server performs reverse lookups on inbound connections or otherwise processes DNS responses containing malicious PTR data. No known public exploits are documented and the vulnerability is not present in the CISA KEV catalog. With no EPSS value available, the likelihood of exploitation remains uncertain, but the ability to cause service interruption makes it a relevant concern for mail servers that rely on musl. There is no vendor provided workaround; the patch is the only effective remedy.

Generated by OpenCVE AI on May 1, 2026 at 05:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Exim to version 4.99.2 or newer, which contains the dn_expand fix.
  • Reconfigure Exim to disable or limit reverse DNS lookups on incoming connections if upgrading is not immediately possible.
  • Monitor mail server logs for connectivity errors or crashes that could indicate exploitation attempts.
  • Apply any vendor-provided security updates, and consider redeploying affected containers or virtual machines with a musl‑based OS after updating.

Generated by OpenCVE AI on May 1, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 05:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via malformed DNS PTR records exploits dn_expand bug in Exim on musl systems

Fri, 01 May 2026 02:30:00 +0000

Type Values Removed Values Added
References

Fri, 01 May 2026 02:00:00 +0000

Type Values Removed Values Added
References

Thu, 30 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.
First Time appeared Exim
Exim exim
Weaknesses CWE-684
CPEs cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*
Vendors & Products Exim
Exim exim
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Exim Exim
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T01:16:53.294Z

Reserved: 2026-04-14T00:00:00.000Z

Link: CVE-2026-40684

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-30T22:16:25.477

Modified: 2026-05-01T02:16:02.843

Link: CVE-2026-40684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:30:09Z

Weaknesses