Out-of-bounds read in Exim - CVE-2026-40686
Published: May 7, 2026
Vulnerability identifier: #VU130456
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-40686
CWE-ID: CWE-125
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Exim
Affected software:
Exim
Exim
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in utf8 operators when processing malformed utf8 in headers with large trailing characters. A remote attacker can supply malformed utf8 header data to disclose sensitive information.
Data leakage may occur if error messages are required for subsequent emails in the current connection and similar malformed headers are present.
How to mitigate CVE-2026-40686
Install security update from vendor's website.