CVE-2026-40685
Received Received - Intake
Heap Out-of-Bounds Write in Exim with JSON Lookup

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: MITRE

Description
In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40685
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
exim exim to 4.99.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-684 The code does not function according to its published specifications, potentially leading to incorrect usage.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Exim versions before 4.99.2 when JSON lookup is enabled. It involves an out-of-bounds heap write that can occur if a JSON operator processes malformed JSON found in an untrusted header. The root cause is an incorrect implementation of the backslash (\) escaping mechanism.

Impact Analysis

The vulnerability has a CVSS base score of 6.5, indicating a medium severity. It can lead to an out-of-bounds heap write, which may cause denial of service or potentially allow an attacker to execute arbitrary code or disrupt the availability of the affected system. The attack requires network access with high attack complexity and no privileges or user interaction.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

Detection of this vulnerability involves identifying if your Exim configuration uses JSON operators on externally-provided input, as this is the condition under which the out-of-bounds heap write can occur.

You can check your Exim configuration files for the presence of JSON lookup operators, especially in headers that process untrusted input.

Since the vulnerability triggers on malformed JSON in headers, monitoring Exim logs for errors related to JSON parsing or heap corruption may help detect exploitation attempts.

No specific commands for detection are provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade Exim to version 4.99.2 or later, which addresses this vulnerability along with others.

If upgrading immediately is not possible, review and modify your Exim configuration to disable or avoid using JSON operators on externally-provided input to prevent triggering the vulnerability.

Monitor your systems for unusual behavior or crashes that could indicate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40685. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart