Exim Mail Server Vulnerabilities Lead to Crash via DNS Data

The Exim development team has issued version 4.99.2 to mitigate four newly discovered security vulnerabilities impacting its mail server software.

These flaws allow attackers to potentially crash servers, corrupt memory, or leak sensitive information.

Because Exim is one of the most widely used message transfer agents on the internet, system administrators need to apply this update immediately to secure their email infrastructure.

Breakdown of the Discovered Vulnerabilities

The latest security update patches four distinct Common Vulnerabilities and Exposures (CVEs) that affect how the server processes external inputs.

• CVE-2026-40684 causes a crash with malicious DNS data malformed PTR records trigger an octal printing error on systems using the musl C library, resulting in a complete crash of the connection instance.
• CVE-2026-40685 triggers out-of-bounds read and write operations on corrupted JSON configurations that use JSON operators on invalid external input, which can directly lead to heap corruption.
• CVE-2026-40686 exposes out-of-bounds read issues via large UTF-8 trailing characters; processing malformed headers might leak data if error messages are required for subsequent emails in the same connection.
• CVE-2026-40687 creates out-of-bounds vulnerabilities in the SPA authenticator; connecting to a compromised external SPA or NTLM service can cause the instance to crash or leak heap memory.

Mail servers act as the central communication backbone for modern organizations, making them highly attractive targets for threat actors.

When attackers exploit out-of-bounds read and write vulnerabilities, they manipulate how a program allocates its memory space.

This allows malicious users to extract sensitive data they shouldn’t be able to access or to overwrite data, disrupting normal server operations.

The DNS-related crash specifically highlights how a simple malformed record can cause a denial-of-service condition for systems that rely on the musl C library.

Threat actors routinely deploy automated scanners to identify unpatched mail servers connected to the internet.

Leaving these endpoints exposed makes them highly vulnerable to automated exploitation and targeted data extraction campaigns.

Mitigation Steps

System administrators should prioritize upgrading to Exim 4.99.2 immediately.

The official security release is currently available as a tarball download from the primary Exim FTP site. It can also be pulled directly from the official Exim Git repository.

According to the advisory, older versions of Exim are no longer actively maintained, and network defenders should take note.

This means legacy deployments may carry these vulnerabilities permanently unless upgraded to the current branch.

Administrators should also review their email header configurations to ensure proper validation of externally provided JSON and UTF-8 inputs.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.