usn-8382-1
Vulnerability from osv_ubuntu
Published
2026-06-03 16:29
Modified
2026-06-03 16:29
Summary
exim4 vulnerabilities
Details

Timo Longin discovered that Exim incorrectly handled certain SMTP messages in PIPELINING/CHUNKING configurations. A remote attacker could possibly use this issue to perform SMTP smuggling. This issue only affected Ubuntu 14.04 LTS. (CVE-2023-51766)

It was discovered that Exim incorrectly handled certain malformed JSON data in headers. A remote attacker could possibly use this issue to crash Exim, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-40685)

It was discovered that Exim incorrectly handled certain malformed UTF-8 headers. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-40686)

It was discovered that Exim incorrectly handled certain SPA resources. A remote attacker could possibly use this issue to crash Exim, resulting in a denial of service, or obtain sensitive information. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-40687)

It was discovered that Exim incorrectly handled certain CHUNKING transfers in some GnuTLS configurations. A remote attacker could possibly use this issue to crash Exim, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-45185)

Warisjeet Singh discovered that Exim incorrectly handled certain proxy connections in builds with proxy support enabled. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2026-48840)


{
  "affected": [
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2023-51766",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:14.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "exim4",
            "binary_version": "4.82-3ubuntu2.4+esm9"
          },
          {
            "binary_name": "exim4-base",
            "binary_version": "4.82-3ubuntu2.4+esm9"
          },
          {
            "binary_name": "exim4-config",
            "binary_version": "4.82-3ubuntu2.4+esm9"
          },
          {
            "binary_name": "exim4-daemon-heavy",
            "binary_version": "4.82-3ubuntu2.4+esm9"
          },
          {
            "binary_name": "exim4-daemon-light",
            "binary_version": "4.82-3ubuntu2.4+esm9"
          },
          {
            "binary_name": "eximon4",
            "binary_version": "4.82-3ubuntu2.4+esm9"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:14.04:LTS",
        "name": "exim4",
        "purl": "pkg:deb/ubuntu/exim4@4.82-3ubuntu2.4+esm9?arch=source\u0026distro=esm-infra-legacy/trusty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.82-3ubuntu2.4+esm9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.80-7ubuntu3",
        "4.80-7ubuntu4",
        "4.80-9ubuntu1",
        "4.80-9ubuntu2",
        "4.82-3ubuntu1",
        "4.82-3ubuntu2",
        "4.82-3ubuntu2.1",
        "4.82-3ubuntu2.2",
        "4.82-3ubuntu2.3",
        "4.82-3ubuntu2.4",
        "4.82-3ubuntu2.4+esm1",
        "4.82-3ubuntu2.4+esm2",
        "4.82-3ubuntu2.4+esm3",
        "4.82-3ubuntu2.4+esm4",
        "4.82-3ubuntu2.4+esm6",
        "4.82-3ubuntu2.4+esm7",
        "4.82-3ubuntu2.4+esm8"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2026-48840",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:16.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "exim4",
            "binary_version": "4.86.2-2ubuntu2.6+esm9"
          },
          {
            "binary_name": "exim4-base",
            "binary_version": "4.86.2-2ubuntu2.6+esm9"
          },
          {
            "binary_name": "exim4-config",
            "binary_version": "4.86.2-2ubuntu2.6+esm9"
          },
          {
            "binary_name": "exim4-daemon-heavy",
            "binary_version": "4.86.2-2ubuntu2.6+esm9"
          },
          {
            "binary_name": "exim4-daemon-light",
            "binary_version": "4.86.2-2ubuntu2.6+esm9"
          },
          {
            "binary_name": "eximon4",
            "binary_version": "4.86.2-2ubuntu2.6+esm9"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:16.04:LTS",
        "name": "exim4",
        "purl": "pkg:deb/ubuntu/exim4@4.86.2-2ubuntu2.6+esm9?arch=source\u0026distro=esm-infra-legacy/xenial"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.86.2-2ubuntu2.6+esm9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.86-3ubuntu1",
        "4.86-7ubuntu1",
        "4.86-7ubuntu2",
        "4.86-7ubuntu3",
        "4.86.2-2ubuntu1",
        "4.86.2-2ubuntu2",
        "4.86.2-2ubuntu2.1",
        "4.86.2-2ubuntu2.2",
        "4.86.2-2ubuntu2.3",
        "4.86.2-2ubuntu2.4",
        "4.86.2-2ubuntu2.5",
        "4.86.2-2ubuntu2.6",
        "4.86.2-2ubuntu2.6+esm1",
        "4.86.2-2ubuntu2.6+esm2",
        "4.86.2-2ubuntu2.6+esm4",
        "4.86.2-2ubuntu2.6+esm5",
        "4.86.2-2ubuntu2.6+esm6",
        "4.86.2-2ubuntu2.6+esm7",
        "4.86.2-2ubuntu2.6+esm8"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2026-48840",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:18.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "exim4",
            "binary_version": "4.90.1-1ubuntu1.10+esm6"
          },
          {
            "binary_name": "exim4-base",
            "binary_version": "4.90.1-1ubuntu1.10+esm6"
          },
          {
            "binary_name": "exim4-config",
            "binary_version": "4.90.1-1ubuntu1.10+esm6"
          },
          {
            "binary_name": "exim4-daemon-heavy",
            "binary_version": "4.90.1-1ubuntu1.10+esm6"
          },
          {
            "binary_name": "exim4-daemon-light",
            "binary_version": "4.90.1-1ubuntu1.10+esm6"
          },
          {
            "binary_name": "eximon4",
            "binary_version": "4.90.1-1ubuntu1.10+esm6"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:18.04:LTS",
        "name": "exim4",
        "purl": "pkg:deb/ubuntu/exim4@4.90.1-1ubuntu1.10+esm6?arch=source\u0026distro=esm-infra/bionic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.90.1-1ubuntu1.10+esm6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.89-5ubuntu1",
        "4.89-9ubuntu1",
        "4.89-9ubuntu2",
        "4.89-9ubuntu3",
        "4.89-9ubuntu4",
        "4.90.1-1ubuntu1",
        "4.90.1-1ubuntu1.1",
        "4.90.1-1ubuntu1.2",
        "4.90.1-1ubuntu1.3",
        "4.90.1-1ubuntu1.4",
        "4.90.1-1ubuntu1.5",
        "4.90.1-1ubuntu1.8",
        "4.90.1-1ubuntu1.9",
        "4.90.1-1ubuntu1.10",
        "4.90.1-1ubuntu1.10+esm1",
        "4.90.1-1ubuntu1.10+esm2",
        "4.90.1-1ubuntu1.10+esm3",
        "4.90.1-1ubuntu1.10+esm4",
        "4.90.1-1ubuntu1.10+esm5"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2026-40685",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-40686",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-40687",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-45185",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "high",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-48840",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:20.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "exim4",
            "binary_version": "4.93-13ubuntu1.12+esm1"
          },
          {
            "binary_name": "exim4-base",
            "binary_version": "4.93-13ubuntu1.12+esm1"
          },
          {
            "binary_name": "exim4-config",
            "binary_version": "4.93-13ubuntu1.12+esm1"
          },
          {
            "binary_name": "exim4-daemon-heavy",
            "binary_version": "4.93-13ubuntu1.12+esm1"
          },
          {
            "binary_name": "exim4-daemon-light",
            "binary_version": "4.93-13ubuntu1.12+esm1"
          },
          {
            "binary_name": "eximon4",
            "binary_version": "4.93-13ubuntu1.12+esm1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:20.04:LTS",
        "name": "exim4",
        "purl": "pkg:deb/ubuntu/exim4@4.93-13ubuntu1.12+esm1?arch=source\u0026distro=esm-infra/focal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.93-13ubuntu1.12+esm1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.92.1-1ubuntu3",
        "4.92.1-1ubuntu4",
        "4.93~RC2-1ubuntu1",
        "4.93-9ubuntu1",
        "4.93-11ubuntu1",
        "4.93-12ubuntu1",
        "4.93-13ubuntu1",
        "4.93-13ubuntu1.1",
        "4.93-13ubuntu1.5",
        "4.93-13ubuntu1.6",
        "4.93-13ubuntu1.7",
        "4.93-13ubuntu1.8",
        "4.93-13ubuntu1.9",
        "4.93-13ubuntu1.10",
        "4.93-13ubuntu1.11",
        "4.93-13ubuntu1.12"
      ]
    }
  ],
  "aliases": [],
  "details": "Timo Longin discovered that Exim incorrectly handled certain SMTP messages\nin PIPELINING/CHUNKING configurations. A remote attacker could possibly use\nthis issue to perform SMTP smuggling. This issue only affected Ubuntu\n14.04 LTS. (CVE-2023-51766)\n\nIt was discovered that Exim incorrectly handled certain malformed JSON\ndata in headers. A remote attacker could possibly use this issue to crash\nExim, resulting in a denial of service, or execute arbitrary code. This\nissue only affected Ubuntu 20.04 LTS. (CVE-2026-40685)\n\nIt was discovered that Exim incorrectly handled certain malformed UTF-8\nheaders. A remote attacker could possibly use this issue to obtain\nsensitive information. This issue only affected Ubuntu 20.04 LTS.\n(CVE-2026-40686)\n\nIt was discovered that Exim incorrectly handled certain SPA resources.\nA remote attacker could possibly use this issue to crash Exim, resulting in\na denial of service, or obtain sensitive information. This issue only\naffected Ubuntu 20.04 LTS. (CVE-2026-40687)\n\nIt was discovered that Exim incorrectly handled certain CHUNKING\ntransfers in some GnuTLS configurations. A remote attacker could possibly\nuse this issue to crash Exim, resulting in a denial of service, or execute\narbitrary code. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-45185)\n\nWarisjeet Singh discovered that Exim incorrectly handled certain proxy\nconnections in builds with proxy support enabled. A remote attacker could\npossibly use this issue to obtain sensitive information. This issue only\naffected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.\n(CVE-2026-48840)",
  "id": "USN-8382-1",
  "modified": "2026-06-03T16:29:23Z",
  "published": "2026-06-03T16:29:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-8382-1"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2023-51766"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-40685"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-40686"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-40687"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-45185"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-48840"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "summary": "exim4 vulnerabilities",
  "upstream": [
    "UBUNTU-CVE-2023-51766",
    "UBUNTU-CVE-2026-40685",
    "UBUNTU-CVE-2026-40686",
    "UBUNTU-CVE-2026-40687",
    "UBUNTU-CVE-2026-45185",
    "UBUNTU-CVE-2026-48840"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…