CVE-2026-40685

CVSS 6.5 MEDIUMEPSS 0.3%CWE-684

In short

Exim email servers with JSON lookup enabled can crash or be compromised if they receive emails with malformed JSON in headers. An attacker can exploit incorrect handling of backslashes to write data outside memory boundaries.

Technical detail

An out-of-bounds heap write vulnerability exists in Exim's JSON lookup operator when processing malformed JSON from untrusted email headers, caused by flawed backslash escaping logic. The attack requires JSON lookup to be enabled and attacker control over email headers, potentially allowing memory corruption and code execution.

Summary generated and translated by AI from the official description.

In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

Affected products

Exim · Exim

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://code.exim.org/exim/exim/commit/9fdc057e71b87c87a0d3d2288b2810a0efaaba57 https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40685.assessment https://exim.org/static/doc/security/CVE-2026-40685.txt https://www.openwall.com/lists/oss-security/2026/04/30/21