Description
In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping.
Published: 2026-04-30
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Exim server running before version 4.99.2 can experience an out-of-bounds heap write when the JSON lookup feature is enabled and the server parses malformed JSON embedded in an untrusted header. The corruption arises from an incorrect handling of backslash escapes, leading to CWE‑684. The memory corruption could corrupt internal state, potentially causing a denial of service or other unstable behavior, but the description does not confirm remote code execution capabilities.

Affected Systems

Exim, versions earlier than 4.99.2, where the JSON lookup functionality is in use. The vulnerability applies to all installations that expose the JSON lookup feature to external or untrusted email headers.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. No EPSS information is available, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is likely network-based, requiring the attacker to send a crafted mail message containing malformed JSON in a header to a vulnerable Exim host. With JSON lookup enabled, an unauthenticated attacker could trigger the out-of-bounds write, causing memory corruption and potentially service disruption.

Generated by OpenCVE AI on May 1, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Exim to version 4.99.2 or later, which contains the fixed JSON parsing logic.
  • If an upgrade is delayed, disable or remove the JSON lookup feature from Exim's configuration to eliminate the code path that can process untrusted JSON.
  • Verify that incoming headers are parsed only by trusted, authenticated sources, and consider employing additional header validation or filtering before the JSON lookup step.

Generated by OpenCVE AI on May 1, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 05:45:00 +0000

Type Values Removed Values Added
Title Exim Out-of-Bounds Heap Write in JSON Lookup

Fri, 01 May 2026 02:30:00 +0000

Type Values Removed Values Added
References

Fri, 01 May 2026 02:00:00 +0000

Type Values Removed Values Added
References

Thu, 30 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping.
First Time appeared Exim
Exim exim
Weaknesses CWE-684
CPEs cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*
Vendors & Products Exim
Exim exim
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Exim Exim
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T01:18:39.741Z

Reserved: 2026-04-14T00:00:00.000Z

Link: CVE-2026-40685

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-30T22:16:25.633

Modified: 2026-05-01T02:16:03.990

Link: CVE-2026-40685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:30:09Z

Weaknesses