What is CVE-2026-40684?

CVE-2026-40684 is a medium-severity vulnerability in Exim, classified under CWE-684. CVSS score: 5.9/10. Published 2026-04-30.

How severe is CVE-2026-40684?

Medium severity. CVSS v3 base score is 5.9 out of 10.

Vulnerability in Exim

CVE-2026-40684

In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.

EPSS: 0.002 (40.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Exim — versions 0

Weakness classification (CWE)

CWE-684

References

cve@mitre.org (Mailing List, Third Party Advisory)
cve@mitre.org (Vendor Advisory)
cve@mitre.org (Patch)
cve@mitre.org (Broken Link)
af854a3a-2127-422b-91ae-364da2661108

Frequently asked questions

What is CVE-2026-40684?: CVE-2026-40684 is a medium-severity vulnerability in Exim, classified under CWE-684. CVSS score: 5.9/10. Published 2026-04-30.
How severe is CVE-2026-40684?: Medium severity. CVSS v3 base score is 5.9 out of 10.