Denial of Service Vulnerability in Exim Mail Transfer Agent
CVE-2026-40684

5.9MEDIUM

Key Information:

Vendor: Exim
Status: Exim
Vendor: CVE Published:; 30 April 2026

What is CVE-2026-40684?

A vulnerability exists in the Exim Mail Transfer Agent affecting versions before 4.99.2. On systems utilizing musl libc, an attacker could exploit malformed DNS data embedded in PTR records, potentially causing the Exim connection instance to crash. This issue arises from an anomaly in the dn_expand function's handling of octal representations, leading to service disruptions for users relying on the affected versions.

Affected Version(s)

Exim 0 < 4.99.2

References

https://www.openwall.com/lists/oss-security/2026/04/30/21

https://exim.org/static/doc/security/cve-2026-04.1/CVE202...

https://code.exim.org/exim/exim/commit/628bbaca7672748d94...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Apr 14, 2026

CVE-2026-40684 Data

JSON