CVE-2026-40684
7.5
HIGH
CVSS 3.1
EPSS 0.19%
Description
In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.
How to fix CVE-2026-40684
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- Debian/exim4—no fix listed
Is CVE-2026-40684 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |