CVE-2026-48840

Vulnerability

In Exim versions 4.88 through 4.99.3, the proxy_protocol() function declares a stack union hdr without initialization. When processing a PROXYv2 frame, the only length check is an upper bound (frame size must not exceed sizeof(hdr)); no lower bound is enforced. A crafted frame with address family 0x21 (TCPv6) and len=0 causes the read size to be set to 16, but the read loop copies exactly 0 bytes into the union, leaving it uninitialized. This affects configurations where Exim is set to accept proxy protocol connections [1].

Exploitation

An attacker with network access to an Exim server that uses the proxy protocol can send a specially crafted PROXYv2 frame with address family 0x21 and len=0. No authentication or prior interaction is required. The server then sends the uninitialized stack memory contents back to the client as part of the proxy protocol response [1].

Impact

Successful exploitation results in disclosure of uninitialized stack memory values to the attacker. This can leak sensitive information such as other data present on the server's stack, potentially including credentials, session tokens, or other confidential data. The disclosure occurs before authentication, increasing the risk of information leakage [1].

Mitigation

The vulnerability is fixed in Exim version 4.99.4, released on 2026-05-29 [1]. Users should upgrade to this version or later. No workaround is documented; disabling the proxy protocol feature may mitigate the issue if it is not required.