CVE-2026-40685

Medium

Published: 30 April 2026

Published

30 April 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

EPSS Score 0.0007 21.5th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40685 is a medium-severity Incorrect Provision of Specified Functionality (CWE-684) vulnerability in Exim Exim. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Applying the Exim 4.99.2 patch directly remediates the out-of-bounds heap write from incorrect backslash skipping during JSON lookup on untrusted headers.

SI-10 Information Input Validation good match

prevent

Validating syntax, semantics, and content of untrusted email headers prior to JSON processing rejects malformed JSON and prevents triggering the vulnerable parser.

SI-16 Memory Protection partial match

prevent

Memory safeguards like heap hardening and address space randomization limit successful exploitation of the out-of-bounds heap write for denial of service or integrity impacts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing Exim mail server allows remote exploitation via crafted headers causing out-of-bounds write, enabling T1190 (exploit public-facing application) and T1499.004 (endpoint DoS via application exploitation) based on high availability impact and service denial.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping.

Deeper analysisAI

CVE-2026-40685 is a vulnerability in the Exim mail transfer agent affecting versions before 4.99.2. When JSON lookup is enabled, an out-of-bounds heap write can occur if a JSON operator processes malformed JSON in an untrusted header, stemming from an incorrect implementation of backslash skipping. The issue is associated with CWE-684 (Incorrect Provisioning of Trust in Caller) and CWE-787 (Out-of-bounds Write) and carries a CVSS v3.1 base score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H).

A remote network-accessible attacker without privileges or user interaction can exploit this vulnerability, though it requires high attack complexity. Exploitation triggers the heap write, potentially resulting in high availability disruption and low integrity impact, such as service denial or limited data tampering, with no confidentiality loss.

Exim advisories recommend upgrading to version 4.99.2, which addresses the flaw via commit 9fdc057e71b87c87a0d3d2288b2810a0efaaba57. Detailed security notes and assessments are provided at https://exim.org/static/doc/security/CVE-2026-40685.txt and https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40685.assessment, with the vulnerability announced on the oss-security mailing list at https://www.openwall.com/lists/oss-security/2026/04/30/21.