The Exim development team pushed 4.99.2 to the public mailing list on May 2, 2026, capping a coordinated disclosure that had been quietly distributed to Linux distribution maintainers since April 24. The release closes four memory-safety defects — one DNS-triggered crash, one heap-corruption primitive reachable from untrusted message headers, one out-of-bounds read in UTF-8 header processing, and a buffer flaw in the legacy SPA authentication driver. Every Exim install older than 4.99.2 is in scope.

Given that Exim is still the default MTA on Debian, runs in front of a non-trivial fraction of cPanel mail flows, and ships baked into countless appliances and self-hosted setups, this advisory affects far more infrastructure than the relatively muted CVSS scores suggest.

What’s in the bundle

CVE-2026-40684 — DNS-triggered crash on musl systems. A malformed PTR record fed back to Exim during reverse-DNS lookups triggers an octal printing error specific to the musl C library implementation. glibc-based hosts are not affected, but Alpine-based mail relays (popular in containerized SMTP gateways) will crash on the first poisoned response. No authentication required — anyone who can influence a PTR lookup against a delivery target qualifies.

CVE-2026-40685 — JSON heap corruption (CWE-684, CVSS 6.5). This is the one to watch. The bug lives in Exim’s JSON operator, used by ACLs and string expansions that parse JSON payloads found in untrusted message headers. An incorrect implementation of backslash-escape skipping lets a malicious header drive an out-of-bounds heap write. Anyone configuring header-based JSON expansion — increasingly common for routing through filtering pipelines and AI scoring services — exposes a write primitive to anonymous SMTP senders.

CVE-2026-40686 — UTF-8 header out-of-bounds read. Oversized UTF-8 trailing characters in headers can leak adjacent heap data when Exim subsequently emits an error message during the same connection. The leak is opportunistic and only triggers when the connection generates downstream errors, but on busy relays that is the rule, not the exception. Useful as an info-leak primitive when chained with the JSON bug.

CVE-2026-40687 — SPA authentication driver out-of-bounds read/write. A hostile external connection can crash the Exim process or leak heap data through the SPA (NTLM) authentication path. Most modern deployments do not enable SPA, but legacy stacks and Windows-interop relays still ship with it active.

Reachability and exploit posture

The headline pairing is CVE-2026-40685 plus CVE-2026-40686: a heap-write controllable from a sender-supplied header, plus a co-located info-leak that can defeat ASLR on the same connection. That’s the canonical recipe for unauthenticated RCE on a mail server, and Exim’s history (think CVE-2019-10149 Return of the WIZard, or CVE-2023-42115) shows that crafty researchers turn this kind of pairing into reliable code execution within weeks of disclosure. No public exploit is circulating yet, but treat that as a countdown rather than a reprieve.

Mitigation

Upgrade to Exim 4.99.2 immediately. Source tarballs are available from the official FTP and Git repositories. Distribution maintainers received the patches a week ahead of public disclosure, so Debian, Ubuntu, RHEL, Alpine, and SUSE security feeds should already have packaged builds in their security channels — pull them now rather than waiting for the next patch cycle.

If you can’t restart MTAs immediately:

  • Disable JSON-operator usage in ACLs and routers until patched (mitigates CVE-2026-40685/40686 chain).
  • Disable the SPA authentication driver if it isn’t load-bearing.
  • For musl-based hosts (Alpine images, distroless mail containers), restrict reverse-DNS queries to trusted resolvers or pin a known-good PTR cache to defang CVE-2026-40684.

Branches older than 4.99.x are end-of-life and will not receive backports. If you’re running 4.97 or earlier in production, a major version bump is now load-bearing for security, not just a “should-do.”

Why this matters

SMTP is one of the few protocols where unauthenticated remote attackers routinely get to feed bytes directly into a complex, header-parsing C codebase running as a privileged daemon. Every Exim CVE that touches the header path deserves the same urgency as a public-facing web server bug. Patch tonight.

Sources: Exim 4.99.2 release notes (linuxcompatible), Exim security release bundle (CIRCL), Exim 4.99.2 — DirectAdmin Forums announcement.