CVE-2026-40685
Heap Out-of-Bounds Write in Exim with JSON Lookup
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| exim | exim | to 4.99.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-684 | The code does not function according to its published specifications, potentially leading to incorrect usage. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Exim versions before 4.99.2 when JSON lookup is enabled. It involves an out-of-bounds heap write that can occur if a JSON operator processes malformed JSON found in an untrusted header. The root cause is an incorrect implementation of the backslash (\) escaping mechanism.
How can this vulnerability impact me? :
The vulnerability has a CVSS base score of 6.5, indicating a medium severity. It can lead to an out-of-bounds heap write, which may cause denial of service or potentially allow an attacker to execute arbitrary code or disrupt the availability of the affected system. The attack requires network access with high attack complexity and no privileges or user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your Exim configuration uses JSON operators on externally-provided input, as this is the condition under which the out-of-bounds heap write can occur.
You can check your Exim configuration files for the presence of JSON lookup operators, especially in headers that process untrusted input.
Since the vulnerability triggers on malformed JSON in headers, monitoring Exim logs for errors related to JSON parsing or heap corruption may help detect exploitation attempts.
No specific commands for detection are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Exim to version 4.99.2 or later, which addresses this vulnerability along with others.
If upgrading immediately is not possible, review and modify your Exim configuration to disable or avoid using JSON operators on externally-provided input to prevent triggering the vulnerability.
Monitor your systems for unusual behavior or crashes that could indicate exploitation attempts.