CVE-2026-40684

CVE Database · CVE-2026-40684

CVE-2026-40684

· MEDIUMModified

CVSS v3.1

5.9

EPSS

0.36%

Published

Apr 30, 2026

Modified

May 1, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses (CWE)

CWE-684

Affected Products (1)

exim · exim (up to 4.99.2)vulnerable

References (5)

https://code.exim.org/exim/exim/commit/628bbaca7672748d941a12e7cd5f0122a4e18c81

Patch

https://exim.org/static/doc/security/CVE-2026-40684.txt

Broken Link

https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40684.assessment

Vendor Advisory

https://www.openwall.com/lists/oss-security/2026/04/30/21

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2026/05/01/11

KEV Catalog EPSS Scores Vendors All CVEs