CVE-2026-48840

Name of the Vulnerable Software and Affected Versions Exim versions 4.88 through 4.99.3

Description In certain proxy configurations, the PROXY-protocol parser mishandles short payloads, resulting in a pre-authentication information disclosure. This issue allows the leakage of uninitialized stack memory values, specifically live userspace virtual address (VA) pointers, to a client. This can be used as a primitive to defeat Address Space Layout Randomization (ASLR), which is a security technique used to prevent exploitation by randomizing the memory addresses used by a process.

Recommendations Update to version 4.99.4.