Total
65 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-48840 | 1 Exim | 1 Exim | 2026-06-03 | N/A | 5.3 MEDIUM |
| Exim 4.88 before 4.99.4, in some proxy configurations, mishandles certain short payloads, leading to disclosure of uninitialized stack memory values to a client. | |||||
| CVE-2026-45185 | 1 Exim | 1 Exim | 2026-05-28 | N/A | 9.8 CRITICAL |
| Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code. | |||||
| CVE-2017-16943 | 2 Debian, Exim | 2 Debian Linux, Exim | 2026-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands. | |||||
| CVE-2017-16944 | 2 Debian, Exim | 2 Debian Linux, Exim | 2026-05-13 | 5.0 MEDIUM | 7.5 HIGH |
| The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function. | |||||
| CVE-2017-1000369 | 2 Debian, Exim | 2 Debian Linux, Exim | 2026-05-13 | 2.1 LOW | 4.0 MEDIUM |
| Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time. | |||||
| CVE-2016-9963 | 3 Canonical, Debian, Exim | 3 Ubuntu Linux, Debian Linux, Exim | 2026-05-13 | 2.6 LOW | 5.9 MEDIUM |
| Exim before 4.87.1 might allow remote attackers to obtain the private DKIM signing key via vectors related to log files and bounce messages. | |||||
| CVE-2014-2972 | 1 Exim | 1 Exim | 2026-05-06 | 4.6 MEDIUM | N/A |
| expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value. | |||||
| CVE-2014-2957 | 1 Exim | 1 Exim | 2026-05-06 | 6.8 MEDIUM | N/A |
| The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled, allows remote attackers to execute arbitrary code via the From header in an email, which is passed to the expand_string function. | |||||
| CVE-2016-1531 | 1 Exim | 1 Exim | 2026-05-06 | 6.9 MEDIUM | 7.0 HIGH |
| Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument. | |||||
| CVE-2026-40687 | 1 Exim | 1 Exim | 2026-05-01 | N/A | 4.8 MEDIUM |
| In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory. | |||||
| CVE-2026-40684 | 1 Exim | 1 Exim | 2026-05-01 | N/A | 5.9 MEDIUM |
| In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing. | |||||
| CVE-2026-40685 | 1 Exim | 1 Exim | 2026-05-01 | N/A | 6.5 MEDIUM |
| In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping. | |||||
| CVE-2026-40686 | 1 Exim | 1 Exim | 2026-05-01 | N/A | 3.7 LOW |
| In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing characters are present (malformed UTF-8 header data). Information might be divulged within an error message produced during handling of an unrelated e-mail message. | |||||
| CVE-2012-5671 | 1 Exim | 1 Exim | 2026-04-29 | 6.8 MEDIUM | N/A |
| Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM support is enabled and acl_smtp_connect and acl_smtp_rcpt are not set to "warn control = dkim_disable_verify," allows remote attackers to execute arbitrary code via an email from a malicious DNS server. | |||||
| CVE-2011-1407 | 1 Exim | 1 Exim | 2026-04-29 | 7.5 HIGH | N/A |
| The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM identities to apply to lookup items, instead of only strings, which allows remote attackers to execute arbitrary code or access a filesystem via a crafted identity. | |||||
| CVE-2011-1764 | 1 Exim | 1 Exim | 2026-04-29 | 7.5 HIGH | N/A |
| Format string vulnerability in the dkim_exim_verify_finish function in src/dkim.c in Exim before 4.76 might allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in data used in DKIM logging, as demonstrated by an identity field containing a % (percent) character. | |||||
| CVE-2010-2023 | 1 Exim | 1 Exim | 2026-04-29 | 4.4 MEDIUM | N/A |
| transports/appendfile.c in Exim before 4.72, when a world-writable sticky-bit mail directory is used, does not verify the st_nlink field of mailbox files, which allows local users to cause a denial of service or possibly gain privileges by creating a hard link to another user's file. | |||||
| CVE-2011-0017 | 1 Exim | 1 Exim | 2026-04-29 | 6.9 MEDIUM | N/A |
| The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack. | |||||
| CVE-2010-2024 | 1 Exim | 1 Exim | 2026-04-29 | 4.4 MEDIUM | N/A |
| transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/. | |||||
| CVE-2010-4344 | 4 Canonical, Debian, Exim and 1 more | 4 Ubuntu Linux, Debian Linux, Exim and 1 more | 2026-04-21 | 9.3 HIGH | 9.8 CRITICAL |
| Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging. | |||||