CVE-2026-40684
5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Exim | Exim | 0 < 4.99.2 | affected |
Weaknesses
- CWE-684: CWE-684 Incorrect Provision of Specified Functionality
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
- https://www.openwall.com/lists/oss-security/2026/04/30/21
- https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40684.assessment
- https://code.exim.org/exim/exim/commit/628bbaca7672748d941a12e7cd5f0122a4e18c81
- https://exim.org/static/doc/security/CVE-2026-40684.txt
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.