Vulnerability - CVE-2026-40684

Name

CVE-2026-40684

Source

NVD ( link)Debian ( link)

Description

In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.

CWEs

CWE-684

Published Date

Apr 30, 2026

Updated Date

Jun 17, 2026

Workaround

Advisories

https://code.exim.org/exim/exim/commit/628bbaca7672748d941a12e7cd5f0122a4e18c81Patch

https://exim.org/static/doc/security/CVE-2026-40684.txtBroken Link

https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40684.assessmentVendor Advisory

https://www.openwall.com/lists/oss-security/2026/04/30/21Mailing List

Analysis#

Affected Component

Analysis

exim

Exploitable

Vulnerability Ratings#

5.9

CVSSv31

7.5

CVSSv31

NaN

other

Others affected components#

Name

Project

Project Version

Version

Status

exim

buildroot

2025.02.x

4.99.4

Not Affected

exim

buildroot

master

4.99.4

Not Affected

exim

openwrt

master

4.99.4-r1

Not Affected