The developers of the Exim mail server have officially rolled out version 4.99.2 to address four newly discovered security vulnerabilities.
This critical update patches multiple software flaws that could allow attackers to crash server connections, corrupt memory heaps, or potentially leak sensitive system data.
Mail server administrators are strongly advised to apply these fixes immediately to prevent disruptions to their email infrastructure.
These security patches were initially shared with Linux distribution maintainers on April 24, 2026, before being formally released on April 29.
While the public announcement faced a slight delay in reaching broader security mailing lists, the Exim team has now made the patched source code widely available.
Because Exim is one of the most popular message transfer agents for Unix-like operating systems, timely patching is essential to defend against malicious actors seeking to exploit these weaknesses.
Email servers constantly process unverified external data, making them prime targets for input validation exploits.
When an Exim server receives an incoming message, it must safely parse complex components like domain names, headers, and authentication requests.
If the software fails to sanitize these inputs properly, attackers can craft specific data payloads to exploit the server’s memory management.
Discovered Vulnerabilities
Security researchers identified four specific Common Vulnerabilities and Exposures (CVEs) affecting earlier versions of the software. The Exim 4.99.2 release resolves the following issues:
- CVE-2026-40684 involves a possible crash triggered by malicious DNS data within PTR records, specifically affecting systems that rely on musl libc instead of glibc due to an octal printing error.
- CVE-2026-40685 allows out-of-bounds read and write operations when processing corrupt JSON data in email headers, which can directly trigger heap corruption.
- CVE-2026-40686 describes an out-of-bounds read caused by large UTF-8 trailing characters in headers, potentially leaking data if the system generates error messages for subsequent emails during a connection.
- CVE-2026-40687 exposes an out-of-bounds read and write vulnerability in the SPA authentication driver, allowing a hostile external connection to crash the instance or leak heap data.
The primary risk associated with these vulnerabilities is denial-of-service through unexpected connection crashes and potential memory exposure.
An attacker sending specially crafted headers or malicious DNS responses could temporarily turn off a network’s mail processing capabilities.
Furthermore, configurations that use external JSON operators or SPA/NTLM authenticators face an elevated risk from these specific exploitation techniques.
To secure their environments, system administrators must upgrade to Exim version 4.99.2 using the official project channels.
The Exim maintainers emphasize that older iterations of the software are no longer actively maintained, meaning users running legacy versions may remain permanently vulnerable if they do not migrate.
Updated release files and secure Git repository tags are currently live on the official Exim infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
