CVE-2026-40687
Published: 30 April 2026
Summary
CVE-2026-40687 is a medium-severity Missing Initialization of Resource (CWE-909) vulnerability in Exim Exim. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching Exim to version 4.99.2 directly eliminates the memory safety vulnerability in the SPA authentication driver.
Least functionality restricts or prohibits the SPA authentication driver if not essential, preventing exploitation requiring its enablement.
Memory protection safeguards such as ASLR and DEP mitigate out-of-bounds writes and uninitialized heap memory leaks in Exim.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploit against public-facing Exim MTA (T1190); OOB write crashes connection instance enabling application exploitation for DoS (T1499.004).
NVD Description
In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.
Deeper analysisAI
CVE-2026-40687 is a memory safety vulnerability in the Exim mail transfer agent (MTA) versions prior to 4.99.2. It occurs when the SPA (Secure Password Authentication) driver is used with an adversarial SPA resource, potentially triggering an out-of-bounds write that crashes the affected connection instance. Alternatively, it can lead to erroneous data processing that leaks contents from uninitialized heap memory. The issue is tracked under CWE-909 (Missing Initialization of Resource) and carries a CVSS v3.1 base score of 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L), indicating moderate severity with network accessibility but high attack complexity.
Remote, unauthenticated attackers can exploit this vulnerability over the network if the target Exim instance has the SPA authentication driver enabled and processes a specially crafted adversarial SPA resource. Exploitation requires no user interaction or privileges but demands sophisticated manipulation of the authentication flow. Successful attacks can achieve either a denial-of-service condition by crashing the specific connection instance or limited confidentiality impact through disclosure of uninitialized heap memory contents.
Mitigation is available via upgrade to Exim 4.99.2, which includes a fix committed at https://code.exim.org/exim/exim/commit/68b963b9f75ca27b38e1c0f8c87037990199f505. Official Exim security advisories provide further details at https://exim.org/static/doc/security/CVE-2026-40687.txt and https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40687.assessment, while the initial disclosure appears in the oss-security mailing list at https://www.openwall.com/lists/oss-security/2026/04/30/21.
Details
- CWE(s)