Exim
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Exim.
Known Exploited Exim Vulnerabilities
The following Exim vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Exim Privilege Escalation Vulnerability |
Exim allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands. CVE-2010-4345 Exploit Probability: 4.0% |
March 25, 2022 |
| Exim Heap-Based Buffer Overflow Vulnerability |
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session. CVE-2010-4344 Exploit Probability: 61.5% |
March 25, 2022 |
| Exim Buffer Overflow Vulnerability |
Issue in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely. CVE-2018-6789 Exploit Probability: 86.4% |
November 3, 2021 |
The vulnerability CVE-2018-6789: Exim Buffer Overflow Vulnerability is in the top 1% of the currently known exploitable vulnerabilities. The vulnerability CVE-2010-4344: Exim Heap-Based Buffer Overflow Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.
Exim EOL Dates
Ensure that you are using a supported version of Exim. Here are some end of life, and end of support dates for Exim.
| Release | EOL Date | Status |
|---|---|---|
| 4.99 | - |
Active
|
| 4.98 | October 28, 2025 |
EOL
Exim 4.98 became EOL in 2025. |
| 4.97 | July 10, 2024 |
EOL
Exim 4.97 became EOL in 2024. |
| 4.96 | November 4, 2023 |
EOL
Exim 4.96 became EOL in 2023. |
| 4.95 | June 25, 2022 |
EOL
Exim 4.95 became EOL in 2022. |
| 4.94 | September 28, 2021 |
EOL
Exim 4.94 became EOL in 2021. |
| 4.93 | June 1, 2020 |
EOL
Exim 4.93 became EOL in 2020. |
| 4.92 | December 8, 2019 |
EOL
Exim 4.92 became EOL in 2019. |
| 4.91 | February 10, 2019 |
EOL
Exim 4.91 became EOL in 2019. |
| 4.90 | April 15, 2018 |
EOL
Exim 4.90 became EOL in 2018. |
| 4.89 | December 19, 2017 |
EOL
Exim 4.89 became EOL in 2017. |
| 4.88 | March 7, 2017 |
EOL
Exim 4.88 became EOL in 2017. |
| 4.87 | December 18, 2016 |
EOL
Exim 4.87 became EOL in 2016. |
| 4.86 | April 6, 2016 |
EOL
Exim 4.86 became EOL in 2016. |
| 4.85 | July 26, 2015 |
EOL
Exim 4.85 became EOL in 2015. |
| 4.84 | January 12, 2015 |
EOL
Exim 4.84 became EOL in 2015. |
| 4.83 | August 11, 2014 |
EOL
Exim 4.83 became EOL in 2014. |
| 4.82 | July 21, 2014 |
EOL
Exim 4.82 became EOL in 2014. |
| 4.80 | October 28, 2013 |
EOL
Exim 4.80 became EOL in 2013. |
| 4.77 | May 31, 2012 |
EOL
Exim 4.77 became EOL in 2012. |
By the Year
In 2026 there have been 0 vulnerabilities in Exim. Last year, in 2025 Exim had 4 security vulnerabilities published. Right now, Exim is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 4 | 7.25 |
| 2024 | 6 | 0.00 |
| 2023 | 1 | 0.00 |
| 2022 | 4 | 7.93 |
| 2021 | 22 | 8.22 |
| 2020 | 1 | 7.50 |
| 2019 | 4 | 9.80 |
| 2018 | 1 | 9.80 |
It may take a day or so for new Exim vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Exim Security Vulnerabilities
Exim <4.99.1 Remote Heap Corruption
CVE-2025-67896
7 - High
- December 14, 2025
Exim before 4.99.1, with certain non-default rate-limit configurations, allows a remote heap-based buffer overflow because database records are cast directly to internal structures without validation.
Heap-based Buffer Overflow
Exim logrotate Symlink Following P8 Escalation before 4.98.2
CVE-2025-53881
- October 02, 2025
A UNIX Symbolic Link (Symlink) Following vulnerability in logrotate config in the exim package allowed privilege escalation from mail user/group to root.This issue affects Tumbleweed: from ? before 4.98.2-lp156.248.1.
Symlink following
Use-After-Free in Exim 4.96-4.98.1 Allows Privilege Escalation
CVE-2025-30232
- March 28, 2025
A use-after-free in Exim 4.96 through 4.98.1 could allow users (with command-line access) to escalate privileges.
Exim 4.98<4.98.1 Remote SQLi via SQLite Hints & ETRN
CVE-2025-26794
7.5 - High
- February 21, 2025
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)
SQL Injection
Exim <=4.97.1 RFC2231 Header Filename Parsing Bypass Allows Exec Attachments
CVE-2024-39929
- July 04, 2024
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.
Exim AUTH OOB Write RCE Vulnerability
CVE-2023-42115
- May 03, 2024
Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-17434.
Exim SMTP NTLM Challenge Stack Buffer Overflow RCE
CVE-2023-42116
- May 03, 2024
Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NTLM challenge requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-17515.
Stack Overflow
Exim SMTP RCE: Improper Neutralization Leads to Remote Execution
CVE-2023-42117
- May 03, 2024
Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17554.
Improper Neutralization of Special Elements
Exim dnsdb OOB Read Info Disclosure in SMTP Service
CVE-2023-42119
- May 03, 2024
Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account. . Was ZDI-CAN-17643.
Out-of-bounds Read
Exim NTLM Challenge OOB Read Info Disclosure
CVE-2023-42114
- May 03, 2024
Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NTLM challenge requests. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this vulnerability to disclose information in the context of the service account. . Was ZDI-CAN-17433.
Out-of-bounds Read
Exim <4.97.1: SMTP Smuggling bypass SPF via PIPELINING/CHUNKING
CVE-2023-51766
- December 24, 2023
Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not.
Exim DMARC Handler use-after-free in dmarc_dns_lookup
CVE-2022-3620
9.8 - Critical
- October 20, 2022
A vulnerability was found in Exim and classified as problematic. This issue affects the function dmarc_dns_lookup of the file dmarc.c of the component DMARC Handler. The manipulation leads to use after free. The attack may be initiated remotely. The name of the patch is 12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211919.
Buffer Overflow
Exim RegexHandler UAF in Regex Processing
CVE-2022-3559
4.6 - Medium
- October 17, 2022
A vulnerability was found in Exim and classified as problematic. This issue affects some unknown processing of the component Regex Handler. The manipulation leads to use after free. The name of the patch is 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2. It is recommended to apply a patch to fix this issue. The identifier VDB-211073 was assigned to this vulnerability.
Buffer Overflow
Exim <4.95 Heap Buffer Overflow in host_name_lookup (alias list)
CVE-2022-37452
9.8 - Critical
- August 07, 2022
Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.
Memory Corruption
Exim <4.96: Invalid Free in pam_converse (store_free missing)
CVE-2022-37451
7.5 - High
- August 06, 2022
Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc.
Release of Invalid Pointer or Reference
The STARTTLS feature in Exim through 4.94.2
CVE-2021-38371
- August 10, 2021
The STARTTLS feature in Exim through 4.94.2 allows response injection (buffering) during MTA SMTP sending.
Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles "-F '
CVE-2020-28013
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles "-F '.('" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy.
Memory Corruption
Exim 4 before 4.94.2 has Execution with Unnecessary Privileges
CVE-2021-27216
6.3 - Medium
- May 06, 2021
Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
Improper Privilege Management
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges
CVE-2020-28007
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem.
insecure temporary file
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges
CVE-2020-28008
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution.
Improper Privilege Management
Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads
CVE-2020-28009
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple days).
Integer Overflow or Wraparound
Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer
CVE-2020-28010
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms).
Memory Corruption
Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S
CVE-2020-28011
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root.
Memory Corruption
Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe
CVE-2020-28012
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges
CVE-2020-28014
6.1 - Medium
- May 06, 2021
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten.
Improper Privilege Management
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations
CVE-2020-28026
9.8 - Critical
- May 06, 2021
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root.
Exim 4 before 4.94.2
CVE-2020-28025
7.5 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory.
Out-of-bounds Read
Exim 4 before 4.94.2 allows Buffer Underwrite
CVE-2020-28024
9.8 - Critical
- May 06, 2021
Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can actually push back non-character error codes such as EOF.
Buffer Overflow
Exim 4 before 4.94.2 allows Out-of-bounds Read
CVE-2020-28023
7.5 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from process memory to an unauthenticated SMTP client.
Out-of-bounds Read
Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer
CVE-2020-28022
9.8 - Critical
- May 06, 2021
Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer. This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands.
Buffer Overflow
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters
CVE-2020-28021
8.8 - High
- May 06, 2021
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command.
Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences
CVE-2020-28019
7.5 - High
- May 06, 2021
Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA.
Improper Initialization
Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations
CVE-2020-28018
9.8 - Critical
- May 06, 2021
Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL.
Dangling pointer
Exim 4 before 4.94.2
CVE-2020-28017
9.8 - Critical
- May 06, 2021
Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.
Integer Overflow or Wraparound
Exim 4 before 4.94.2
CVE-2020-28016
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because "-F ''" is mishandled by parse_fix_phrase.
Memory Corruption
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters
CVE-2020-28015
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character.
Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in
CVE-2020-28020
9.8 - Critical
- May 06, 2021
Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header-length restriction.
Integer Overflow or Wraparound
Exim through 4.93 has an out-of-bounds read in the SPA authenticator
CVE-2020-12783
7.5 - High
- May 11, 2020
Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c.
Out-of-bounds Read
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846
CVE-2019-16928
9.8 - Critical
- September 27, 2019
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
Memory Corruption
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root
CVE-2019-15846
9.8 - Critical
- September 06, 2019
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.
Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations
CVE-2019-13917
9.8 - Critical
- July 25, 2019
Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).
Data Processing Errors
A flaw was found in Exim versions 4.87 to 4.91 (inclusive)
CVE-2019-10149
- June 05, 2019
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
Shell injection
An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1
CVE-2018-6789
9.8 - Critical
- February 08, 2018
An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.
Classic Buffer Overflow
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89
CVE-2017-16943
9.8 - Critical
- November 25, 2017
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
Dangling pointer
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89
CVE-2017-16944
7.5 - High
- November 25, 2017
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.
Infinite Loop
The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled
CVE-2014-2957
- September 04, 2014
The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled, allows remote attackers to execute arbitrary code via the From header in an email, which is passed to the expand_string function.
Improper Input Validation
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session
CVE-2010-4344
9.8 - Critical
- December 14, 2010
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.
Memory Corruption
Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive
CVE-2010-4345
7.8 - High
- December 14, 2010
Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.
Command Injection
