CVE-2026-40684

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.9 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H                                    

Vulnerability Description

In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.

Vulnerability Details

Published Date

April 30, 2026

Last Modified

April 30, 2026

CWE ID

CWE-684

Source

NVD

Vendor

Exim

Product

Exim

External References

https://code.exim.org/exim/exim/commit/628bbaca7672748d941a12e7cd5f0122a4e18c81
https://exim.org/static/doc/security/CVE-2025-40684.txt
https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40684.assessment
https://www.openwall.com/lists/oss-security/2026/04/30/21

CVE-2026-40684

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment