CVE-2026-40684

Description

In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.

PUBLISHED Reserved 2026-04-14 | Published 2026-04-30 | Updated 2026-05-01 | Assigner mitre

Problem types

CWE-684 Incorrect Provision of Specified Functionality

Product status

References

www.openwall.com/lists/oss-security/2026/05/01/11

www.openwall.com/lists/oss-security/2026/04/30/21

exim.org/.../security/cve-2026-04.1/CVE2026-40684.assessment

code.exim.org/...it/628bbaca7672748d941a12e7cd5f0122a4e18c81

exim.org/static/doc/security/CVE-2026-40684.txt

cve.org (CVE-2026-40684)

nvd.nist.gov (CVE-2026-40684)

Download JSON