Description
In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.
Published: 2026-04-30
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves an out‑of‑bounds write in Exim’s SPA authentication driver when processing a malicious SPA resource. The write can crash the connection instance or cause erroneous data processing that leaks uninitialized heap memory. The resulting impact includes service disruption and potential leakage of sensitive data; the flaw is classified as CWE‑909, a memory corruption weakness.

Affected Systems

Exim, versions prior to 4.99.2 are affected. No other vendors are listed. An attacker can exploit any Exim deployment running a pre‑4.99.2 build with the SPA authentication driver enabled.

Risk and Exploitability

The CVSS score is 4.8, indicating a moderate risk. EPSS information is unavailable, so the likelihood of exploitation is unclear. The vulnerability is not present in the CISA KEV catalog. The attack likely requires an attacker who can send crafted SMTP traffic to the Exim server with an adversarial SPA resource; the flaw appears during normal authentication processing, so a successful exploit could lead to a crash or data leakage but does not provide remote code execution or privilege escalation.

Generated by OpenCVE AI on May 1, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Exim 4.99.2 or later
  • Restrict or validate SPA resource input to eliminate malformed data
  • If the SPA authentication driver is not required, disable it or replace it with a more secure authentication method

Generated by OpenCVE AI on May 1, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 05:45:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Write and Data Disclosure via Exim SPA Authentication Driver

Fri, 01 May 2026 02:30:00 +0000

Type Values Removed Values Added
References

Fri, 01 May 2026 02:00:00 +0000

Type Values Removed Values Added
References

Thu, 30 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.
First Time appeared Exim
Exim exim
Weaknesses CWE-909
CPEs cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*
Vendors & Products Exim
Exim exim
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Subscriptions

Exim Exim
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T14:25:12.276Z

Reserved: 2026-04-14T00:00:00.000Z

Link: CVE-2026-40687

cve-icon Vulnrichment

Updated: 2026-05-01T14:25:08.569Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T22:16:25.923

Modified: 2026-05-01T19:17:51.200

Link: CVE-2026-40687

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:30:09Z

Weaknesses