Three vulnerabilities in Exim require immediate patching to version 4.99.2: CVE-2026-40685 (CVSS 6.5) allows remote code execution via malformed JSON in headers, CVE-2026-40686 (CVSS 3.7) enables information disclosure through UTF-8 trailing character processing, and CVE-2026-40687 (CVSS 4.8) permits authenticated remote code execution via SPA authenticator input. All three vulnerabilities affect Exim versions prior to 4.99.2. The fix is to upgrade all affected systems to Exim version 4.99.2.
It was discovered that Exim incorrectly handled parsing malformed JSON in message headers. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2026-40685) It was discovered that Exim incorrectly handled processing of UTF-8 trailing characters. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-40686) It was discovered that Exim incorrectly handled SPA authenticator input. An authenticated user could possibly use this issue to execute arbitrary code. (CVE-2026-40687)