The Exim development team has released version 4.99.2 to address four newly discovered security vulnerabilities affecting the widely used mail server software. These flaws allow attackers to potentially crash servers, corrupt memory, or leak sensitive information — and given Exim’s status as one of the most widely deployed message transfer agents (MTAs) on the internet, system administrators must apply this update immediately.
Why Exim Security Matters
Exim powers a significant proportion of internet-facing email infrastructure across Linux and Unix systems. Its widespread deployment means that a single exploitable vulnerability can expose millions of mail servers to denial-of-service, data leakage, or remote code execution attacks. Threat actors routinely scan the internet for unpatched Exim versions, and exploitation often begins within hours of a public disclosure.
The Four New CVEs: A Breakdown
Exim 4.99.2 patches four distinct vulnerabilities, each affecting how the server processes external input:
- CVE-2026-40684 — Crash via Malicious DNS Data: Malformed PTR records trigger an octal printing error on systems using the musl C library, resulting in a complete crash of the affected connection instance. This vulnerability can be triggered remotely by any attacker capable of controlling DNS responses seen by the Exim server, creating a reliable denial-of-service vector against musl-based deployments such as Alpine Linux.
- CVE-2026-40685 — Heap Corruption via Corrupted JSON Configuration: Using JSON operators on invalid external input causes out-of-bounds read and write operations that can directly lead to heap corruption. Depending on the Exim version and platform, this could potentially be escalated to code execution, though the advisory focuses on the corruption primitive.
- CVE-2026-40686 — Information Leakage via UTF-8 Trailing Characters: Processing malformed headers with large UTF-8 trailing characters may trigger out-of-bounds reads and leak data from error messages if those messages are required for subsequent emails handled within the same connection. An attacker sending specially crafted messages could potentially extract fragments of sensitive process memory.
- CVE-2026-40687 — Out-of-Bounds Vulnerabilities in SPA Authenticator: Connecting to a compromised external SPA or NTLM authentication service can cause the Exim instance to crash or leak heap memory. This is particularly concerning in environments where Exim is configured to use external authentication services, as a malicious server can weaponize the connection to probe Exim memory.
Understanding the Risk: Out-of-Bounds Memory Attacks
Three of the four vulnerabilities involve out-of-bounds memory access — a category of flaw that remains among the most dangerous in systems-level software. When attackers exploit out-of-bounds read and write vulnerabilities, they manipulate how a program allocates its memory space. This can enable two primary attack classes:
- Data extraction: Reading memory outside intended boundaries can leak sensitive data including private keys, credentials, or email content held in process memory.
- Memory corruption: Writing outside allocated buffers can overwrite data structures, potentially enabling attackers to redirect program execution or achieve remote code execution in advanced exploitation scenarios.
The DNS-related crash (CVE-2026-40684) specifically highlights how a single malformed DNS record can produce a denial-of-service condition — an especially impactful outcome for organizations that rely on Exim as their primary inbound mail gateway.
Affected Versions and End-of-Life Considerations
All four vulnerabilities affect Exim versions prior to 4.99.2. The Exim development team has explicitly stated that older branches of the codebase are no longer actively maintained. This means that legacy deployments — including any installations running Exim 4.97 or earlier — may carry these vulnerabilities permanently unless upgraded to the current branch.
Organizations that cannot immediately upgrade to 4.99.2 should evaluate their exposure risk and consider restricting inbound SMTP connections to known sources as a temporary mitigating control.
Mitigation Steps for Administrators
System administrators should take the following actions without delay:
- Upgrade to Exim 4.99.2 — Available as a tarball from the official Exim FTP site and directly from the official Exim Git repository.
- Review email header processing configurations to ensure proper validation of externally provided JSON and UTF-8 inputs.
- Audit SPA/NTLM authentication configurations to verify that external authentication services are trusted and not potentially attacker-controlled.
- Monitor DNS responses for unusual PTR record patterns that could indicate active exploitation attempts against CVE-2026-40684.
- Apply network-level controls to limit exposure of SMTP endpoints to untrusted sources where operationally feasible.
Act Now: The Automated Exploitation Window Is Narrow
Threat actors routinely deploy automated scanners to identify unpatched mail servers connected to the internet. The window between public vulnerability disclosure and active exploitation attempts is frequently measured in hours, not days. Given Exim’s prevalence in Linux-based hosting environments, these four vulnerabilities will attract rapid attention from both automated botnets and targeted threat actors. Patching must be treated as an immediate operational priority.