All errata/sisyphus/ALT-PU-2026-7662-2
ALT-PU-2026-7662-2

Package update exim in branch sisyphus

Version4.99.3-alt1
Task#418007
Published2026-05-30
Max severityCRITICAL
Severity:

Closed issues (16)

BDU:2024-00108
MEDIUM6.5

Уязвимость реализации протокола SMTP почтового сервера Exim, позволяющая нарушителю обойти политику безопасности SPF (Sender Policy Framework) и отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)

Published: 2024-01-09Modified: 2026-01-19
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
References
BDU:2024-05250
MEDIUM5.4

Уязвимость компонента Multiline RFC 2231 почтового сервера Exim, обойти существующие ограничения безопасности путем внедрения специально сформированных исполняемых файлов

Published: 2024-07-14Modified: 2026-01-19
CVSS 3.xMEDIUM 5.4
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
References
BDU:2025-01904
HIGH7.5

Уязвимость функций SQLite hints и ETRN serialization почтового сервера Exim, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-02-23Modified: 2025-05-05
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2025-03534
HIGH8.1

Уязвимость почтового сервера Exim, связанная с использованием памяти после ее освобождения, позволяющая нарушителю повысить свои привилегии

Published: 2025-04-22Modified: 2026-03-03
CVSS 3.xHIGH 8.1
CVSS:3.x/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS 2.0MEDIUM 6.2
CVSS:2.0/AV:L/AC:H/Au:N/C:C/I:C/A:C
References
BDU:2026-00906
CRITICAL9.8

Уязвимость почтового сервера Exim, связанная с переполнением буфера в динамической памяти, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-01-27Modified: 2026-05-31
CVSS 3.xCRITICAL 9.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2026-06520
CRITICAL9.8

Уязвимость функции ungetc() компонента BDAT/CHUNKING почтового сервера Exim, позволяющая нарушителю выполнить произвольный код

Published: 2026-05-12Modified: 2026-05-31
CVSS 3.xCRITICAL 9.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
CVE-2023-51766
MEDIUM5.3

Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports . but some other popular e-mail servers do not.

Published: 2023-12-24Modified: 2026-06-17
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References
CVE-2024-39929
MEDIUM5.4

Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.

Published: 2024-07-04Modified: 2026-06-17
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
References
CVE-2025-26794
CRITICAL9.8

Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)

Published: 2025-02-21Modified: 2026-06-17
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2025-67896
CRITICAL9.8

Exim before 4.99.1, with certain non-default rate-limit configurations, allows a remote heap-based buffer overflow because database records are cast directly to internal structures without validation.

Published: 2025-12-14Modified: 2026-06-17
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2026-40684
HIGH7.5

In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.

Published: 2026-04-30Modified: 2026-06-17
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2026-40685
CRITICAL9.8

In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping.

Published: 2026-04-30Modified: 2026-06-17
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2026-40686
MEDIUM5.3

In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing characters are present (malformed UTF-8 header data). Information might be divulged within an error message produced during handling of an unrelated e-mail message.

Published: 2026-04-30Modified: 2026-06-17
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2026-40687
CRITICAL9.1

In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.

Published: 2026-04-30Modified: 2026-06-17
CVSS 3.xCRITICAL 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
References
CVE-2026-45185
CRITICAL9.8

Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.

Published: 2026-05-12Modified: 2026-06-17
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References