VDB
CVE-2026-40684
CVE-2026-40684
PUBLISHED
CVSS 5.900000095367432 MEDIUM
In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.
EPSS 0.19% · 40.6th percentile
Risk Scores
CVSS v3.1
5.900000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.19%
40.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| exim | exim | 0 |
| Exim | Exim | 0 |
Timeline
- Apr 30, 2026 CVE Published
- Apr 30, 2026 PoC Published
- May 1, 2026 Security Advisory
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
- May 26, 2026 EPSS Score
References
- https://www.exim.org/static/doc/security/cve-2026-04.1/ advisory
- https://exim.org/static/doc/security/CVE-2025-40684.txt url
- https://www.openwall.com/lists/oss-security/2026/04/30/21 url
- https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40684.assessment url
- https://code.exim.org/exim/exim/commit/628bbaca7672748d941a12e7cd5f0122a4e18c81 url