CVE-2026-40684

Medium

Published: 30 April 2026

Published

30 April 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0007 21.8th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40684 is a medium-severity Incorrect Provision of Specified Functionality (CWE-684) vulnerability in Exim Exim. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring identification, reporting, and timely remediation of the Exim flaw through patching to version 4.99.2 or later.

SI-11 Error Handling partial match

prevent

Mitigates the crash by requiring the system to handle errors and exceptions from malformed DNS PTR data without compromising availability.

SC-5 Denial-of-service Protection partial match

prevent

Protects against the denial-of-service impact of connection crashes triggered by malformed DNS data in PTR records.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote exploitation of Exim to crash connection instances via malformed DNS PTR data, directly facilitating application or system exploitation for denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.

Deeper analysisAI

CVE-2026-40684 affects Exim versions before 4.99.2 on systems using musl libc, excluding those with glibc. The vulnerability stems from an oddity in the dn_expand function during octal printing, enabling an attacker to crash a connection instance when malformed DNS data appears in PTR records. Published on 2026-04-30, it carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-684.

A remote attacker with network access can exploit this without privileges or user interaction, though it demands high attack complexity. Exploitation crashes the targeted connection instance, resulting in a denial-of-service impact limited to availability disruption for that specific session.

Exim advisories recommend upgrading to version 4.99.2 or later for mitigation, with the fix implemented in commit 628bbaca7672748d941a12e7cd5f0122a4e18c81 available at https://code.exim.org/exim/exim/commit/628bbaca7672748d941a12e7cd5f0122a4e18c81. Further details appear in https://exim.org/static/doc/security/CVE-2026-40684.txt and https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40684.assessment, alongside announcements on oss-security lists at https://www.openwall.com/lists/oss-security/2026/04/30/21 and http://www.openwall.com/lists/oss-security/2026/05/01/11.