In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-04-30
In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping.
CVSS Score
6.5
EPSS Score
0.001
Published
2026-04-30
In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing characters are present (malformed UTF-8 header data). Information might be divulged within an error message produced during handling of an unrelated e-mail message.
CVSS Score
3.7
EPSS Score
0.0
Published
2026-04-30
In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.
CVSS Score
4.8
EPSS Score
0.001
Published
2026-04-30
Exim before 4.99.1, with certain non-default rate-limit configurations, allows a remote heap-based buffer overflow because database records are cast directly to internal structures without validation.
CVSS Score
7.0
EPSS Score
0.001
Published
2025-12-14
A use-after-free in Exim 4.96 through 4.98.1 could allow users (with command-line access) to escalate privileges.
CVSS Score
8.1
EPSS Score
0.001
Published
2025-03-28
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)
CVSS Score
7.5
EPSS Score
0.751
Published
2025-02-21