Ghostwire

CVE-2026-40686: In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing...

LOW CVSS 3.7 Exploit Available

Published: April 30, 2026 | Last Modified: May 1, 2026

Description

In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing characters are present (malformed UTF-8 header data). Information might be divulged within an error message produced during handling of an unrelated e-mail message.

Ghostwire Analysis — What This Means Practically

Exploit code is reported to be available, increasing the likelihood of active exploitation.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (2 articles)

References

code.exim.org/exim/exim/commit/f2570bde16fb4d4a1242ff363a4c4eecf6372efc
exim.org/static/doc/security/CVE-2026-40686.txt
exim.org/static/doc/security/cve-2026-04.1/CVE2026-40686.assessment
www.openwall.com/lists/oss-security/2026/04/30/21
www.tenable.com/cve/CVE-2026-40686
www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2026-40686
nvd.nist.gov/vuln/detail/CVE-2026-40686