PT-2026-36198 · Exim+2 · Exim+2
Bernard Quatermass
·
Published
2026-04-29
·
Updated
2026-05-04
·
CVE-2026-40687
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Exim versions prior to 4.99.2
Description
When the SPA authentication driver is used with an adversarial SPA resource, an out-of-bounds write can occur, leading to a crash of the connection instance. Additionally, erroneous data processing may result in the disclosure of data from uninitialized heap memory.
Recommendations
Update to version 4.99.2 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Exim
Linuxmint
Ubuntu