Exim Mail Server Releases Version 4.99.2 to Patch Memory Corruption and DoS Vulnerabilities

The development team behind the Exim Mail Transfer Agent (MTA) has officially deployed version 4.99.2. This release is a high-priority security update designed to remediate four distinct vulnerabilities that pose significant risks to the stability and confidentiality of mail hosting environments.

These vulnerabilities represent a variety of memory management flaws, ranging from heap corruption to out-of-bounds (OOB) reads/writes. If left unpatched, these flaws could allow a remote actor to trigger service disruptions via Denial-of-Service (DoS) attacks or, more critically, facilitate the leakage of sensitive system data from the server’s memory heaps.

For administrators overseeing critical mail infrastructure, immediate deployment of this update is strongly recommended to mitigate the risk of exploitation.

The technical details regarding these patches were initially disseminated to Linux distribution maintainers on April 24, 2026, following a coordinated disclosure process, with the formal public release following on April 29. Detailed intelligence regarding the discovery of these flaws can be found via the OSS-Security mailing list.

Given Exim’s status as a cornerstone of message routing for many Unix-like ecosystems, the attack surface is substantial. Because MTAs are architecturally designed to ingest and parse unverified, complex data from external, untrusted sources, they remain a primary target for input validation exploits.

During the SMTP transaction, Exim must parse intricate components—including RFC-compliant headers, domain names, and authentication handshake sequences. Any failure to strictly sanitize these inputs can lead to a breakdown in memory safety, allowing crafted payloads to manipulate the software’s execution flow or memory allocation.

Technical Breakdown of Discovered Vulnerabilities

The Exim 4.99.2 release specifically addresses four identified Common Vulnerabilities and Exposures (CVEs). Each targets a different stage of the mail processing pipeline:

• CVE-2026-40684 (DNS Parsing Error): This vulnerability involves a potential crash triggered by malicious data within DNS PTR records. The issue stems from an octal printing error that manifests specifically on systems utilizing musl libc rather than glibc, making it a highly environment-specific but critical stability risk.
• CVE-2026-40685 (JSON Heap Corruption): A flaw in how the server processes corrupt JSON data within email headers allows for out-of-bounds read and write operations. This can lead directly to heap corruption, potentially allowing for arbitrary code execution or immediate service failure.
• CVE-2026-40686 (UTF-8 Boundary Issue): An out-of-bounds read vulnerability exists when handling large UTF-8 trailing characters in headers. An attacker could exploit this to leak adjacent memory contents, especially if the system generates error messages during subsequent connections.
• CVE-2026-40687 (SPA Authentication Flaw): A vulnerability in the Secure Password Authentication (SPA) driver enables an out-of-bounds read and write. A hostile external connection can exploit this during the authentication phase to crash the Exim instance or extract sensitive data from the heap.

The collective risk profile of these vulnerabilities is centered on Denial-of-Service (DoS) and Information Disclosure. An attacker capable of sending malformed SMTP headers or spoofing DNS responses could effectively neutralize a network’s mail processing capabilities. Furthermore, organizations utilizing external JSON operators or specific SPA/NTLM authenticators should consider themselves at an elevated level of risk.

Remediation and Best Practices

To secure your mail environment, system administrators should immediately upgrade to Exim version 4.99.2. This can be achieved through official package managers provided by your Linux distribution or by compiling from the official project source.

It is critical to note that the Exim maintainers have signaled that older, legacy iterations of the software are no longer receiving active security support. Users running unpatched, end-of-life versions may remain permanently exposed to these and future exploits. The updated release files and secure Git repository tags are now live and available via the official Exim infrastructure.