Vulnerability in N/a
CVE-2019-16928
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
EPSS: 0.903 (99.6th percentile) — read the EPSS interpretation.
Affected products
- N/a — versions n/a
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply updates per vendor instructions.
Public proof-of-concept exploits
References
- lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html (x_refsource_MISC)
- bugs.exim.org/show_bug.cgi (x_refsource_MISC)
- git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f (x_refsource_MISC)
- [oss-security] 20190928 Exim CVE-2019-16928 RCE using a heap-based buffer overflow (mailing-list, x_refsource_MLIST)
- [oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow (mailing-list, x_refsource_MLIST)
- [oss-security] 20190928 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow (mailing-list, x_refsource_MLIST)
- DSA-4536 (vendor-advisory, x_refsource_DEBIAN)
- USN-4141-1 (vendor-advisory, x_refsource_UBUNTU)
- [oss-security] 20190929 Re: Exim CVE-2019-16928 RCE using a heap-based buffer overflow (mailing-list, x_refsource_MLIST)
- 20190929 [SECURITY] [DSA 4536-1] exim4 security update (mailing-list, x_refsource_BUGTRAQ)
Frequently asked questions
- What is CVE-2019-16928?
- CVE-2019-16928 is a vulnerability in N/a. Published 2019-09-27.
- Is CVE-2019-16928 known to be exploited?
- Yes. CVE-2019-16928 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-03-03), indicating it is being actively exploited. 10 public proof-of-concept repositories are indexed.