Cyber Resilience

CVE-2026-40685

Medium

Published: 30 April 2026

Published
30 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0032 23.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-40685 is a medium-severity Incorrect Provision of Specified Functionality (CWE-684) vulnerability in Exim Exim. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40685 is a vulnerability in the Exim mail transfer agent affecting versions before 4.99.2. When JSON lookup is enabled, an out-of-bounds heap write can occur if a JSON operator processes malformed JSON in an untrusted header, stemming from an incorrect implementation of backslash skipping. The issue is associated with CWE-684 (Incorrect Provisioning of Trust in Caller) and CWE-787 (Out-of-bounds Write) and carries a CVSS v3.1 base score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H).

A remote network-accessible attacker without privileges or user interaction can exploit this vulnerability, though it requires high attack complexity. Exploitation triggers the heap write, potentially resulting in high availability disruption and low integrity impact, such as service denial or limited data tampering, with no confidentiality loss.

Exim advisories recommend upgrading to version 4.99.2, which addresses the flaw via commit 9fdc057e71b87c87a0d3d2288b2810a0efaaba57. Detailed security notes and assessments are provided at https://exim.org/static/doc/security/CVE-2026-40685.txt and https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40685.assessment, with the vulnerability announced on the oss-security mailing list at https://www.openwall.com/lists/oss-security/2026/04/30/21.

EU & UK References

Vulnerability details

In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in public-facing Exim mail server allows remote exploitation via crafted headers causing out-of-bounds write, enabling T1190 (exploit public-facing application) and T1499.004 (endpoint DoS via application exploitation) based on high availability impact and service denial.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40684Same product: Exim Exim
CVE-2026-40687Same product: Exim Exim
CVE-2026-45185Same product: Exim Exim
CVE-2025-67896Same product: Exim Exim
CVE-2025-26794Same product: Exim Exim
CVE-2025-30232Same product: Exim Exim
CVE-2025-25901Shared CWE-787
CVE-2025-32008Shared CWE-787
CVE-2026-27664Shared CWE-787
CVE-2024-13166Shared CWE-787

Affected Assets

exim
exim
≤ 4.99.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying the Exim 4.99.2 patch directly remediates the out-of-bounds heap write from incorrect backslash skipping during JSON lookup on untrusted headers.

prevent

Validating syntax, semantics, and content of untrusted email headers prior to JSON processing rejects malformed JSON and prevents triggering the vulnerable parser.

prevent

Memory safeguards like heap hardening and address space randomization limit successful exploitation of the out-of-bounds heap write for denial of service or integrity impacts.

References