The Exim development team has released version 4.99.2 to address four newly discovered security vulnerabilities in one of the internet's most widely deployed message transfer agents. The patches, initially shared with Linux distribution maintainers on April 24, 2026, before formal public release on April 29, address a range of serious flaws that allow attackers to crash server connections, corrupt memory heaps, and leak sensitive system data through carefully crafted malicious inputs. Given that Exim powers email infrastructure for a significant proportion of organisations running Unix-like operating systems globally, system administrators are strongly advised to apply this update without delay.
CVE-2026-40684 is the most immediately disruptive of the four flaws. It causes a complete crash of the connection instance when malformed PTR records are received as part of DNS data. The crash is triggered by an octal printing error specifically affecting systems running the musl C library rather than glibc. A threat actor able to serve a malformed PTR record to a vulnerable Exim instance can effectively trigger a denial-of-service condition against the targeted mail server, disrupting all email processing for the affected connection.
CVE-2026-40685 introduces out-of-bounds read and write operations when the server processes corrupted JSON data via JSON operators on invalid external input in email headers. Successful exploitation can directly lead to heap corruption — a memory safety failure that in worst-case scenarios can be leveraged for further exploitation including potential code execution depending on the system configuration and memory layout.
CVE-2026-40686 exposes an out-of-bounds read vulnerability triggered by large UTF-8 trailing characters in processed email headers. If error messages are generated during the handling of subsequent emails within the same connection session, the flaw may cause the server to leak data beyond its intended memory boundaries — potentially exposing sensitive information that should not be accessible to external parties.
CVE-2026-40687 creates out-of-bounds read and write vulnerabilities within the SPA authentication driver. When an Exim instance connects to a hostile or compromised external SPA or NTLM authentication service, the vulnerability can cause the server to crash or leak heap memory. Organisations using SPA or NTLM authentication in their Exim configurations face elevated risk from this specific flaw.
Mail servers represent the central communication backbone for modern organisations, processing vast volumes of unverified external data on a continuous basis. Every incoming message requires the server to safely parse complex components including domain names, email headers, authentication requests, and encoded content — each representing a potential attack surface when input validation fails. Threat actors routinely deploy automated scanning tools specifically targeting unpatched internet-facing mail servers, making delayed patching an immediately exploitable risk rather than a theoretical one.
The Exim team has made the patched version available as a tarball download from the official Exim FTP site and directly from the official Git repository. Administrators must upgrade to Exim 4.99.2 without delay. Critically, the Exim maintainers have explicitly stated that older versions of the software are no longer actively maintained — meaning any organisation running a legacy Exim deployment that does not upgrade will carry these four vulnerabilities permanently with no prospect of a future backported fix. Administrators should additionally review email header configurations to ensure proper validation of externally provided JSON and UTF-8 inputs, and audit any SPA or NTLM authentication integrations for exposure to hostile external services.