External risk intelligence

Exim email servers can be taken over by attackers using malformed email data.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-40685

A critical flaw in Exim email servers lets attackers take control by sending a specially crafted email, potentially impacting many systems that handle incoming mail.

5Halo Surface Signal

Out-of-bounds Write

Exim

before 4.99.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-40685

Exim is a mail transfer agent (MTA) designed to accept incoming connections from the internet. As a core component of email infrastructure, it is inherently public-facing and reachable by design to facilitate the exchange of messages across global networks.

PCI scan relevance

PCI Relevance for CVE-2026-40685

Yes

CVE-2026-40685 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE is PCI scan-relevant as it involves an out-of-bounds heap write vulnerability in Exim when processing malformed JSON, which could lead to remote code execution or sensitive data disclosure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in Exim, an email transfer agent, allows an attacker to write data outside of allocated memory when processing malformed JSON in untrusted headers. This could lead to system compromise.

  • Attacker can remotely execute code.
  • Affects systems processing untrusted email headers.
  • Immediate attention is warranted due to severe impact.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability to achieve remote code execution by sending a specially crafted email to a vulnerable Exim server with JSON lookup enabled. The server will process the malformed JSON in an untrusted header, leading to an out-of-bounds heap write. This can then be leveraged to overwrite critical memory structures and gain control of the server.

  • Attacker sends crafted email.
  • Requires JSON lookup enabled.
  • Exploits malformed header.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Exim, an email transfer agent, presents a clear path for attackers. The issue allows for an out-of-bounds heap write when malformed JSON is processed, enabling remote code execution with potentially high impact. The lack of authentication and direct network exposure makes it an attractive target.

  • Public exploit availability is unknown.
  • No KEV listing observed.
  • The vulnerability was recently disclosed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Exim to version 4.99.2 or later to address the critical heap write vulnerability. If immediate patching is not feasible, implement strict network access controls to limit exposure of Exim services to only trusted sources and enable detailed logging for suspicious activity.

  • Patch Exim to 4.99.2+.
  • Restrict network access to Exim.
  • Monitor for malformed JSON headers.

Frequently asked questions

What is Exim and what is its primary function in email systems?

Exim is a mail transfer agent (MTA) designed for Unix-like operating systems. Its primary role is to send, receive, and route emails, acting as a core component of an email server infrastructure.

What specific weakness does CVE-2026-40685 represent and how does it occur?

CVE-2026-40685 is an out-of-bounds heap write vulnerability. This occurs in Exim when the JSON lookup feature is enabled and a malformed JSON string is encountered in an untrusted header, due to an issue with backslash skipping during JSON parsing.

What is the attack vector for CVE-2026-40685 and what is the scope of impact?

An attacker can exploit this by sending a specially crafted email containing malformed JSON data in specific headers to a vulnerable Exim server. This leads to an out-of-bounds heap write, potentially allowing for remote code execution on the server. The vulnerability is classified as external due to its network attack vector.

How significant is CVE-2026-40685, and what is its relation to Halo Surface Signal?

This vulnerability is rated CRITICAL with a base score of 9.8. Halo Surface Signal assesses it as 'Very likely' to be exploited because Exim is a public-facing mail transfer agent that accepts internet connections, making it an accessible target.

What are the recommended actions to mitigate the risks associated with CVE-2026-40685?

The recommended action is to update Exim to version 4.99.2 or later. If immediate patching isn't possible, restrict network access to Exim services and monitor for suspicious activity, such as malformed JSON headers.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified