Out-of-Bounds Read in Exim Email Software by Exim
CVE-2026-40686

3.7LOW

Key Information:

Vendor: Exim
Status: Exim
Vendor: CVE Published:; 30 April 2026

What is CVE-2026-40686?

In Exim versions prior to 4.99.2, enabling utf8 operators results in an out-of-bounds read vulnerability when handling certain malformed UTF-8 header data. This flaw can lead to unintended information disclosure within error messages generated while processing unrelated email messages, posing a risk to the confidentiality of email communications.

Affected Version(s)

Exim 0 < 4.99.2

References

https://www.openwall.com/lists/oss-security/2026/04/30/21

https://exim.org/static/doc/security/cve-2026-04.1/CVE202...

https://code.exim.org/exim/exim/commit/f2570bde16fb4d4a12...

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Apr 14, 2026

CVE-2026-40686 Data

JSON