Exim Mail Server Update Fixes Four Security Flaws That Could Crash Servers or Leak Data
4 min. read 
Published on
Exim 4.99.2 has been released as a security update to fix four newly disclosed vulnerabilities in the popular mail transfer agent. The flaws affect how Exim handles malicious DNS records, malformed JSON data, broken UTF-8 headers, and SPA authentication connections.
Admins running Exim before version 4.99.2 should treat the update as a priority. The issues can allow remote attackers to crash connection instances, corrupt heap memory, or expose limited data in certain configurations.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The Exim project says older versions may or may not be affected, but they are no longer actively maintained. That makes upgrading to the current branch the safest route for exposed mail servers.
What Exim 4.99.2 fixes
The most visible issue is CVE-2026-40684. It affects systems using musl libc, not glibc, and can crash an Exim connection instance when malformed DNS data appears in PTR records.
This creates a denial-of-service risk for certain Linux environments. A remote attacker would not need direct server access if they can make Exim process the malformed DNS response during normal mail handling.
The update also fixes CVE-2026-40685, which involves malformed JSON in untrusted headers. When JSON lookup is enabled, a bad JSON operator can trigger an out-of-bounds heap write.
At a glance
| CVE | Issue | Possible impact | Affected condition |
|---|---|---|---|
| CVE-2026-40684 | Malformed DNS PTR data | Connection crash | Systems using musl libc |
| CVE-2026-40685 | Malformed JSON in headers | Heap memory corruption | JSON lookup enabled |
| CVE-2026-40686 | Malformed UTF-8 header data | Out-of-bounds read and possible data leak | UTF-8 operators enabled |
| CVE-2026-40687 | SPA authenticator handling flaw | Crash or heap data leak | SPA authentication driver in use |
Memory flaws raise the risk for exposed mail servers
CVE-2026-40686 affects configurations that use UTF-8 operators. Large malformed UTF-8 trailing characters in headers can cause an out-of-bounds read.
In some cases, data could appear in an error message while Exim handles another email in the same connection. This limits the scope, but it still creates a confidentiality concern for mail infrastructure.
CVE-2026-40687 affects the SPA authentication driver. A hostile or compromised external SPA or NTLM service could trigger an out-of-bounds write, crash the connection instance, or expose uninitialized heap memory.
Why this update matters
Mail servers sit directly on the internet in many organizations. Attackers often scan these systems because they handle trusted communication, authentication flows, and sensitive message data.
Even when a flaw only crashes a connection instance, repeated abuse can disrupt mail delivery. Memory corruption bugs also deserve fast attention because they can become more serious as researchers analyze the patch.
NVD currently rates some of these issues differently from the CNA scores. For example, NVD lists CVE-2026-40685 as critical, while the CNA score marks it as medium. Admins should not wait for perfect scoring alignment before patching.
What administrators should do now
- Upgrade Exim to version 4.99.2 or apply vendor-provided packages as soon as they become available.
- Check whether any servers use musl libc, especially lightweight Linux deployments and containerized systems.
- Review Exim configurations that use JSON lookup, UTF-8 operators, or SPA authentication.
- Monitor mail logs for repeated crashes, malformed header errors, or unusual authentication behavior.
- Use signed release files or trusted distribution packages when updating production servers.
The update is already available
Exim 4.99.2 is available from the official Exim download directory, and the project also lists source access through its Git repository. Release tarballs include signature files, which admins should verify before installing from source.
Linux distributions may ship their own patched Exim builds. In managed environments, admins should follow their distribution’s security channel instead of manually replacing packaged software.
The key takeaway is simple: any internet-facing Exim server running an older version needs review. The safest fix is to move to Exim 4.99.2 or a trusted vendor package that includes the same security patches.
FAQ
Exim 4.99.2 is a security release for the Exim mail transfer agent. It fixes four vulnerabilities tracked as CVE-2026-40684, CVE-2026-40685, CVE-2026-40686, and CVE-2026-40687.
Yes, the reported issues involve remotely supplied data such as DNS responses, email headers, or external authentication connections. The exact exposure depends on the server configuration.
CVE-2026-40685 and CVE-2026-40687 deserve close attention because they involve memory corruption or possible heap data exposure. CVE-2026-40684 also matters for musl-based systems because it can crash Exim connection instances.
Yes. Exim 4.99.2 is a security release, and the project says older versions are not actively maintained. Public mail servers should receive the update as soon as possible through trusted release channels.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages