CVE-2026-40687 MEDIUM

CVE-2026-40687

Vendor Exim
Product Exim
Weakness CWE-909
Published April 30, 2026
Last update May 1, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

What the vulnerability does

01Description

In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.

Key dates

02Disclosure timeline

April 30, 2026 CVE published
May 1, 2026 Record updated