VDB
CVE-2026-40687
CVE-2026-40687
PUBLISHED
CVSS 4.800000190734863 MEDIUM
In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.
EPSS 0.18% · 39.7th percentile
Risk Scores
CVSS v3.1
4.800000190734863
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
EPSS Score
0.18%
39.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| exim | exim | 0 |
| Exim | Exim | 0 |
Timeline
- Apr 30, 2026 CVE Published
- Apr 30, 2026 PoC Published
- May 1, 2026 Security Advisory
- May 1, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
References
- https://www.exim.org/static/doc/security/cve-2026-04.1/ advisory
- https://exim.org/static/doc/security/CVE-2025-40687.txt url
- https://www.openwall.com/lists/oss-security/2026/04/30/21 url
- https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40687.assessment url
- https://code.exim.org/exim/exim/commit/68b963b9f75ca27b38e1c0f8c87037990199f505 url