SB2026060607 - Ubuntu update for exim4
Published: June 6, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Command Injection (CVE-ID: CVE-2023-51766)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to spoof email messages.
The vulnerability exists due to an error when handling line endings other than <CR><LF>. A remote attacker can spoof contents of email message and bypass SPF protection mechanism.2) Out-of-bounds write (CVE-ID: CVE-2026-40685)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause memory corruption.
The vulnerability exists due to out-of-bounds read/write in json operators when processing invalid externally-provided input in headers. A remote attacker can supply corrupt JSON data to cause memory corruption.
The issue affects configurations that use json operators on externally provided input.
3) Out-of-bounds read (CVE-ID: CVE-2026-40686)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in utf8 operators when processing malformed utf8 in headers with large trailing characters. A remote attacker can supply malformed utf8 header data to disclose sensitive information.
Data leakage may occur if error messages are required for subsequent emails in the current connection and similar malformed headers are present.
4) Out-of-bounds write (CVE-ID: CVE-2026-40687)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read/write in the SPA authentication driver when handling a hostile or compromised external SPA/NTLM connection. A remote attacker can provide crafted SPA/NTLM responses to cause a denial of service.
The issue is exposed in configurations that use the SPA authentication driver and may also leak heap data to the instance.
5) Use-after-free (CVE-ID: CVE-2026-45185)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in Exim's GnuTLS backend when handling BDAT message body transfers after a TLS close_notify alert is received before the transfer is complete. A remote attacker can send a TLS close_notify alert and then a final byte in cleartext on the same TCP connection to execute arbitrary code.
Only builds configured with USE_GNUTLS=yes are vulnerable, and exploitation requires use of the CHUNKING (BDAT) SMTP extension.
6) Use of Uninitialized Variable (CVE-ID: CVE-2026-48840)
CWE-ID: CWE-457 - Use of Uninitialized Variable
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an uninitialized stack memory use in the PROXY-protocol parser when parsing a crafted PROXY version 2 frame with an insufficient payload length. A remote attacker can send a specially crafted PROXY frame to disclose sensitive information.
Only builds compiled with SUPPORT_PROXY and configured with a non-empty hosts_proxy are vulnerable. To reach the vulnerable code, the source IP must match hosts_proxy or the crafted PROXY header must be forwarded through a host already listed in hosts_proxy.
Remediation
Install update from vendor's website.