Cyber Resilience

CVE-2019-16928

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 27 September 2019

Published
27 September 2019
Modified
07 November 2025
KEV Added
03 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9031 99.6th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-16928 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Fedoraproject Fedora. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Exim versions 4.92 through 4.92.2 contain a heap-based buffer overflow in the string_vformat function within string.c. The flaw is triggered by an overly long EHLO command and is distinct from the separate issue tracked as CVE-2019-15846. It is assigned CWE-787 and carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can send a crafted EHLO command to an affected Exim server and achieve arbitrary code execution with full impact on confidentiality, integrity, and availability. The vulnerability is exploitable over the network without any authentication or special conditions.

Public advisories and technical details, including potential mitigation steps and patch information, are discussed in the referenced Openwall mailing-list posts and the Exim bug tracker entry at https://bugs.exim.org/show_bug.cgi?id=2449. No information on observed in-the-wild exploitation is provided in the available references.

EU & UK References

Vulnerability details

Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

exim
exim
4.92 — 4.92.2
canonical
ubuntu linux
19.04
debian
debian linux
10.0
fedoraproject
fedora
29, 30, 31

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the heap buffer overflow by enforcing validation of EHLO command length and format before string_vformat processing.

prevent

Requires timely application of vendor patches that eliminate the vulnerable string_vformat code path in Exim 4.92-4.92.2.

prevent

Restricts network exposure of the unauthenticated Exim SMTP listener, reducing the attack surface for remote EHLO-based exploitation.

References