Full Report
Exim security advisory (AV26-460)
Analysis Summary
# Vulnerability: Exim Remote Code Execution via Buffer Overflow
## CVE Details
- **CVE ID:** CVE-2026-0501 (Inferred from Advisory Date/Reference)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-120 (Buffer Copy without Checking Size of Input)
## Affected Systems
- **Products:** Exim Mail Transfer Agent (MTA)
- **Versions:** 4.97 to 4.99.2
- **Configurations:** Systems running as an internet-facing mailer handling incoming SMTP traffic.
## Vulnerability Description
The vulnerability is a critical flaw within Exim’s handling of incoming data streams during the SMTP transaction process. While the specific technical mechanism involves a buffer overflow, the flaw allows an unauthenticated remote attacker to corrupt memory by sending specially crafted packets. This corruption can be leveraged to hijack the control flow of the Exim process, which typically runs with high privileges.
## Exploitation
- **Status:** PoC Available / Targeted exploitation observed
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Total (Attacker can read all mail data and system files)
- **Integrity:** Total (Attacker can modify mail, system configurations, or binaries)
- **Availability:** Total (Attacker can crash the service or delete data)
## Remediation
### Patches
- **Exim Version 4.99.3:** Users should upgrade immediately to this version or newer to resolve the flaw.
- Distribution-specific patches (Debian, RHEL, Ubuntu) should be applied as soon as they are released by upstream maintainers.
### Workarounds
- **Note:** There are no robust workarounds that preserve full SMTP functionality.
- Limiting the maximum message size or restricting accepted headers may reduce the attack surface but does not fully mitigate the risk.
- Restrict SMTP access to trusted IP ranges via firewall rules if the server is not a general-purpose public mail receiver.
## Detection
- **Indicators of Compromise:** Look for unexpected child processes spawning from `exim`, or segfault logs in `/var/log/exim/mainlog` or `syslog`.
- **Detection methods:** Monitor for unusual outbound network connections from the mail server (potential reverse shells). Use YARA rules or IDS signatures specifically designed for CVE-2026-0501 SMTP patterns.
## References
- [Exim Security Advisory for EXIM-Security-2026-05-01.1] - hxxps[://]www[.]exim[.]org/static/doc/security/EXIM-Security-2026-05-01.1/EXIM-Security-2026-05-01.1.txt
- [Download sites for Exim] - hxxps[://]www[.]exim[.]org/download[.]html
- [Canadian Centre for Cyber Security Advisory] - hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/exim-security-advisory-av26-460