Security researchers at the National Institute of Standards and Technology (NIST) have uncovered critical security flaws in the Exim mail server. That could allow remote attackers to take complete control of vulnerable systems.
The vulnerabilities affect Exim version 4.99 when configured with SQLite hints database support, exposing thousands of mail servers to potential compromise.
Two Critical Flaws Discovered
The research team identified two distinct vulnerabilities in Exim’s SQLite database implementation.
The first is an incomplete SQL injection fix for CVE-2025-26794 that fails to escape single-quote characters in database queries properly.
Attackers can exploit this weakness by sending specially crafted SMTP commands with malicious email addresses containing SQL injection payloads.
The second vulnerability involves a heap buffer overflow caused by unvalidated database fields used as array boundaries.
When the bloom filter code processes untrusted data from the database, it can write far beyond allocated memory buffers, potentially corrupting up to 1.5 megabytes of heap memory.
| CVE ID | Vulnerability Type | CWE | Severity | Attack Vector | Impact |
|---|---|---|---|---|---|
| Related to CVE-2025-26794 | SQL Injection (Incomplete Fix) | CWE-89 | High | Remote (SMTP) | Arbitrary SQL query execution, data exfiltration |
| Pending Assignment | Heap Buffer Overflow | CWE-122, CWE-787, CWE-843 | Critical | Remote (SMTP) | Heap corruption, potential remote code execution |
This provides attackers with precise control over memory corruption, including the ability to target specific heap locations and write arbitrary byte values.
These vulnerabilities require specific configurations to be exploitable. Servers must be compiled with SQLite support and use rate-limited Access Control Lists (ACLs) that incorporate attacker-controlled data such as sender addresses.
The most vulnerable configurations include “per_addr” mode with explicit sender address keys or “unique” parameters containing attacker-controlled values.
While researchers successfully demonstrated heap corruption and memory manipulation. They were unable to develop a complete remote code-execution exploit because of modern security protections, such as Address Space Layout Randomization (ASLR).
However, experts warn that determined attackers with additional time and resources may be able to achieve full system compromise.
Exim maintainers have been notified and are working on security patches. The recommended fixes include adding proper single quote escaping to prevent SQL injection.
Implementing validation checks for database field sizes before using them as array boundaries.
Server administrators using Exim with SQLite hints databases should monitor for updates and apply patches immediately upon release.
Organizations running potentially vulnerable configurations should consider temporarily turning off SQLite hint database support.
Restricting ratelimit ACL configurations that use sender addresses until patches are available.
The research team has committed to coordinated disclosure, giving developers time to create fixes before publicly releasing full exploit details.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
