CVE-2026-40687
Received Received - Intake
Out-of-Bounds Write in Exim with SPA Authentication

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: MITRE

Description
In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40687
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
exim exim to 4.99.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-909 The product does not initialize a critical resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Exim versions before 4.99.2 when using the SPA authentication driver. An adversarial SPA resource can trigger an out-of-bounds write, which may crash the connection instance or cause erroneous data processing that leads to the disclosure of data from uninitialized heap memory.

Compliance Impact

This vulnerability in Exim before 4.99.2 can cause an out-of-bounds write leading to a crash of the connection instance or an information leak from uninitialized heap memory.

The information leak could potentially expose sensitive data, which may impact compliance with data protection regulations such as GDPR or HIPAA that require safeguarding personal and health information.

However, the vulnerability only causes a crash of the connection process (not the entire daemon) and the information leak is limited to uninitialized heap memory, which may reduce the scope of data exposure.

Organizations using vulnerable versions of Exim with the SPA authentication driver should consider this risk in their compliance assessments and apply patches to mitigate potential data exposure.

Detection Guidance

This vulnerability occurs when the SPA authentication driver is used with a malicious SPA resource, causing an out-of-bounds write that crashes the connection instance or leaks uninitialized heap memory.

Detection involves monitoring for remote-triggered crashes of the Exim connection process or unusual information leaks related to SPA authentication.

Specific commands or detection tools are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include disabling or avoiding the use of the SPA authentication driver in Exim until a fixed version (4.99.2 or later) is applied.

Updating Exim to version 4.99.2 or later will address the vulnerability.

Impact Analysis

The vulnerability can cause the Exim connection instance to crash, leading to denial of service. Additionally, it can result in the exposure of sensitive data from uninitialized heap memory, potentially leaking information unintentionally.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40687. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart