Title: Exim Security Advisory for EXIM-Security-2026-05-19.1 / CVE-2026-48840 Announced: 2026-05-29 Reporter: Warisjeet Singh (sin99xx) Affects: Exim 4.88 up to and including 4.99.3 Corrected: Exim 4.99.4 Exim Security Vulnerability: EXIM-Security-2026-05-19.1 ========================================================= Identifier: EXIM-Security-2026-05-19.1 (CVE-2026-48840) Type: Pre-authentication information disclosure (uninitialised stack) Severity: Moderate (CVSS 5.3) Credit: Warisjeet Singh (sin99xx) Timeline -------- 2026-05-19 12:35 UTC: Initial security report received from Warisjeet Singh (sin99xx). 2026-05-19 13:26 UTC: Exim maintainers acknowledge the report. 2026-05-19 14:06 UTC: Root cause confirmed; fix prepared in private repositories. 2026-05-25 13:30 UTC: CVE requested from MITRE. 2026-05-25 17:57 UTC: CVE-2026-48840 assigned by MITRE. 2026-05-26 00:41 UTC: Advance notice to distros@vs.openwall.org. 2026-05-27 14:00 UTC: Restricted access to fixes provided for distributors. 2026-05-29 14:00 UTC: Public coordinated release of the fix and advisory. Vulnerability Summary --------------------- A pre-authentication information disclosure was discovered in Exim's PROXY-protocol parser. When parsing a PROXY version 2 frame, Exim validated only the upper bound of the declared payload length, not a lower bound. A frame declaring address family TCPv6 (0x21) with a payload length of zero passed this check, and the TCPv6 dispatch path then copied 16 bytes of uninitialised stack memory into the connection's sender address. That value was rendered as an IPv6 address and emitted in the SMTP greeting banner. A TCPv4 (0x11) frame with a payload shorter than 12 bytes exhibits the same defect, disclosing 4 bytes. The disclosed bytes are live process memory and track address-space layout randomisation (ASLR) across process restarts, making the issue usable as an ASLR-defeat primitive in a larger exploitation chain. Affected Versions ----------------- - Exim versions from 4.88 (2017) up to and including 4.99.3 are affected. The development version (master) was affected as well. - Only builds compiled with SUPPORT_PROXY and configured with a non-empty hosts_proxy are affected. SUPPORT_PROXY is enabled in the Debian, Ubuntu, and RHEL/Fedora packages. - To reach the vulnerable code, the attacker's source IP must match hosts_proxy, or the attacker must be able to send a PROXY header through a host already listed in hosts_proxy (for example a front-end load balancer). Mitigation ---------- - Narrow hosts_proxy to the exact load-balancer IP addresses rather than a broader CIDR range. - Alternatively, unset hosts_proxy entirely to disable PROXY-protocol parsing on the affected listener. These reduce exposure but are not a substitute for upgrading. Resolution ---------- The issue is resolved in Exim version 4.99.4. All users of affected versions are strongly encouraged to upgrade. The fix adds a minimum-payload-length check for each address family before the PROXY-protocol union is read (12 bytes for TCPv4, 36 bytes for TCPv6); frames that fail the check are rejected, consistent with the handling of other malformed frames. Downloads --------- The new version is available from the usual locations: - https://ftp.exim.org/pub/exim/exim4/ - https://code.exim.org/exim/exim (branch exim-4.99+fixes, tag exim-4.99.4) The release tag exim-4.99.4 is GPG-signed by Heiko Schlittermann (HS12-RIPE) , key 0xDD98D92359DE9E3C2663F291697F0EDD68099F6F.