Main Vulnerability Database Vulnerabilities #VU130456

Out-of-bounds read in Exim - CVE-2026-40686

Published: May 7, 2026

Vulnerability identifier: #VU130456

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-40686

CWE-ID: CWE-125

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Exim

Software vendor:
Exim

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in utf8 operators when processing malformed utf8 in headers with large trailing characters. A remote attacker can supply malformed utf8 header data to disclose sensitive information.

Data leakage may occur if error messages are required for subsequent emails in the current connection and similar malformed headers are present.

Remediation

Install security update from vendor's website.

External links

https://www.openwall.com/lists/oss-security/2026/04/30/21
https://lists.exim.org/lurker/message/20260429.121733.f58d9686.en.html

Out-of-bounds read in Exim - CVE-2026-40686

Description

Remediation

External links

Please verify you're human