Vendor
Exim
Products
1
CVEs
27
Across products
357
Status
Private
Products
1- 357 CVEs
Recent CVEs
27| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2010-4344 | Cri | 0.83 | 9.8 | 0.52 | KEV | Dec 14, 2010 | Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging. |
| CVE-2017-16943 | Cri | 0.70 | 9.8 | 0.77 | Nov 25, 2017 | The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands. | |
| CVE-2010-4345 | Hig | 0.66 | 7.8 | 0.07 | KEV | Dec 14, 2010 | Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive. |
| CVE-2017-16944 | Hig | 0.58 | 7.5 | 0.77 | Nov 25, 2017 | The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function. | |
| CVE-2016-1531 | Hig | 0.53 | 7.0 | 0.57 | Apr 7, 2016 | Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument. | |
| CVE-2026-40685 | Med | 0.42 | 6.5 | 0.00 | Apr 30, 2026 | In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping. | |
| CVE-2026-40684 | Med | 0.38 | 5.9 | 0.00 | Apr 30, 2026 | In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing. | |
| CVE-2026-40687 | Med | 0.31 | 4.8 | 0.00 | Apr 30, 2026 | In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory. | |
| CVE-2017-1000369 | Med | 0.26 | 4.0 | 0.00 | Jun 19, 2017 | Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time. | |
| CVE-2026-40686 | Low | 0.24 | 3.7 | 0.00 | Apr 30, 2026 | In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing characters are present (malformed UTF-8 header data). Information might be divulged within an error message produced during handling of an unrelated e-mail message. | |
| CVE-2019-10149 | 0.23 | — | 0.94 | KEV | Jun 5, 2019 | A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution. | |
| CVE-2025-26794 | 0.06 | — | 0.76 | Feb 21, 2025 | Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.) | ||
| CVE-2023-42115 | 0.06 | — | 0.71 | May 3, 2024 | Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-17434. | ||
| CVE-2012-5671 | 0.03 | — | 0.32 | Oct 31, 2012 | Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM support is enabled and acl_smtp_connect and acl_smtp_rcpt are not set to "warn control = dkim_disable_verify," allows remote attackers to execute arbitrary code via an email from a malicious DNS server. | ||
| CVE-2023-42117 | 0.01 | — | 0.07 | May 3, 2024 | Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17554. | ||
| CVE-2023-42116 | 0.01 | — | 0.07 | May 3, 2024 | Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NTLM challenge requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-17515. | ||
| CVE-2023-42114 | 0.01 | — | 0.14 | May 3, 2024 | Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NTLM challenge requests. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this vulnerability to disclose information in the context of the service account. . Was ZDI-CAN-17433. | ||
| CVE-2025-67896 | 0.00 | — | 0.00 | Dec 14, 2025 | Exim before 4.99.1, with certain non-default rate-limit configurations, allows a remote heap-based buffer overflow because database records are cast directly to internal structures without validation. | ||
| CVE-2025-30232 | 0.00 | — | 0.00 | Mar 27, 2025 | A use-after-free in Exim 4.96 through 4.98.1 could allow users (with command-line access) to escalate privileges. | ||
| CVE-2023-42119 | 0.00 | — | 0.01 | May 3, 2024 | Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account. . Was ZDI-CAN-17643. |