VYPR
Medium severity4.8NVD Advisory· Published Apr 30, 2026· Updated May 1, 2026

CVE-2026-40687

CVE-2026-40687

Description

In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Exim/Exim2 versions
    cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*range: <4.99.2
    • (no CPE)range: <4.99.2

Patches

Vulnerability mechanics

References

4

News mentions

1