External risk intelligence

Exim mail server can leak customer data or crash when handling specific authentication requests

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-40687

Exim mail servers can be crashed or leak sensitive data due to a critical flaw in its authentication driver, impacting internet-facing systems.

5Halo Surface Signal

Exim

before 4.99.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-40687

Exim is a widely deployed Mail Transfer Agent (MTA) typically configured to listen on the network edge to accept incoming email traffic from the internet. Because it handles public-facing SMTP authentication, the vulnerable authentication driver is directly reachable by external network entities.

PCI scan relevance

PCI Relevance for CVE-2026-40687

Yes

CVE-2026-40687 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in Exim allows unauthenticated attackers to cause a denial of service or leak uninitialized heap memory. It is considered relevant due to its potential impact on system availability and data confidentiality.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This critical issue in Exim, a mail server, could allow an attacker to crash a connection instance or reveal sensitive data from uninitialized memory. This vulnerability is especially concerning because it can be triggered remotely without any authentication.

  • Attackers can crash server connections.
  • Sensitive data may be exposed.
  • It affects internet-facing mail servers.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this flaw by sending specially crafted data to the Exim mail server. This could lead to a denial-of-service by crashing the server instance, or potentially disclose sensitive information from the server's memory.

  • Remote attackers can abuse flaw.
  • No authentication required.
  • SPA authentication driver must be used.

Live Threat

Current exploitation, exposure, and threat context

This critical vulnerability in Exim's SPA authentication driver presents a significant risk due to its network-accessible nature and potential for denial-of-service or data leakage. Attackers are likely to target this given Exim's common deployment as a public-facing mail server. The vulnerability allows for remote exploitation without authentication, making it an attractive target for broad attacks.

  • Network-accessible vulnerability.
  • Critical impact: crash or data disclosure.
  • Published with exploitability details.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and isolating Exim instances using the SPA authentication driver. Given the critical severity and potential for unauthenticated remote code execution, actively exploited configurations present a significant risk. Focus on verifying if your Exim deployment is vulnerable and taking immediate containment measures.

  • Upgrade Exim to version 4.99.2 or later.
  • Block external access to vulnerable Exim instances.
  • Monitor logs for suspicious authentication attempts.

Frequently asked questions

What is the impact of CVE-2026-40687 on Exim email servers?

CVE-2026-40687 can cause an out-of-bounds write in Exim when the SPA authentication driver is used with an adversarial SPA resource. This can lead to a crash of the connection instance or erroneous data processing that divulges data from uninitialized heap memory.

What is the weakness class for CVE-2026-40687 in Exim?

The weakness identified for CVE-2026-40687 is CWE-909, which relates to issues with memory management and writing beyond allocated boundaries, potentially leading to data corruption or disclosure.

How can CVE-2026-40687 be triggered, and what is the scope of its impact?

The vulnerability can be triggered when the SPA authentication driver is used with an adversarial SPA resource. An unauthenticated remote attacker can exploit this flaw by sending specially crafted data to the Exim mail server. The impact can be a crash of the connection instance or disclosure of data from uninitialized heap memory.

How relevant is CVE-2026-40687 for internet-facing systems, and what is its exploitability?

This critical vulnerability in Exim's SPA authentication driver is very likely to be exploited because Exim is a widely deployed, public-facing Mail Transfer Agent (MTA). The vulnerability is network-accessible and requires no authentication, making it an attractive target for remote attackers.

What are the recommended actions to mitigate CVE-2026-40687?

To mitigate this vulnerability, it is recommended to upgrade Exim to version 4.99.2 or later. If an upgrade is not immediately possible, consider blocking external access to vulnerable Exim instances and monitor logs for suspicious authentication attempts.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified