Dear Exim users, The Exim maintainers are releasing a security fix for CVE-2026-48840.
Identifier: EXIM-Security-2026-05-19.1 (CVE-2026-48840) Type: pre-authentication information disclosure Component: Exim Affects: 4.88 (2017) through the current 4.99.3 release Corrected in: Exim 4.99.4 (exim-4.99.4) Credit: Warisjeet Singh (sin99xx) Vulnerability Details --------------------- proxy_protocol() declares hdr as an uninitialised stack union. For a PROXYv2 frame, the only length guard is an upper bound: the frame size must not exceed sizeof(hdr). No lower bound is checked. A frame with address family 0x21 (TCPv6) and len=0 sets the read size to 16, causing the read loop to copy exactly 0 bytes into the union. The TCPv6 dispatch arm then unconditionally calls: memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16) copying 16 uninitialised stack bytes into tmpip6, which inet_ntop formats as an IPv6 address string. That string is written to sender_host_address and emitted in the SMTP greeting banner: 250 hostname Hello probe [::68ef:38ad:ffff:0] The same defect affects family 0x11 (TCPv4) with len < 12 (4 leaked bytes instead of 16). The leaked bytes track ASLR entropy across daemon restarts and are confirmed to be live userspace VA pointers, making this an ASLR-defeat primitive usable as a chain component. Fix: add minimum-length checks per address family (12 bytes for TCPv4/0x11, 36 bytes for TCPv6/0x21) before the union is accessed. Frames that fail the check are rejected with proxyfail, consistent with all other malformed-frame handling in the function. Reported by Warisjeet Singh (sin99xx). Tested on aarch64 Linux; architecture-independent (only leaked content varies). Affected Configurations ----------------------- Exim compiled with SUPPORT_PROXY (default in Debian, Ubuntu, RHEL/Fedora packages) and hosts_proxy set to a non-empty value. The attacker's source IP must match hosts_proxy, or the attacker must be able to reach the port that expects a PROXY header through a host already in hosts_proxy. Mitigations ----------- - Narrow hosts_proxy to the exact load-balancer IPs (not a CIDR superset). - Unset hosts_proxy entirely to disable PROXY-protocol parsing on the affected listener. Resolution ---------- Upgrade to Exim 4.99.4. The fix is on branch exim-4.99+fixes, tag exim-4.99.4, signed by Heiko Schlittermann (HS12-RIPE) <[email protected]>, key 0xDD98D92359DE9E3C2663F291697F0EDD68099F6F. Downloads --------- https://ftp.exim.org/pub/exim/exim4/ https://code.exim.org/exim/exim/releases Advisory -------- https://www.exim.org/static/doc/security/EXIM-Security-2026-05-19.1/ Timeline -------- 2026-05-19 12:35 UTC Report received from Warisjeet Singh (sin99xx) 2026-05-19 13:26 UTC Acknowledgement sent to reporter 2026-05-19 14:06 UTC Root cause confirmed; fix drafted 2026-05-25 13:30 UTC CVE request submitted to Mitre via cveform.mitre.org 2026-05-25 17:57 UTC CVE-2026-48840 assigned by MITRE 2026-05-26 00:41 UTC Advance notice (distro-pre.txt) sent to [email protected] 2026-05-26 00:47 UTC Advance notice sent to [email protected] 2026-05-27 14:00 UTC Fix branch and tag exim-4.99.4 pushed to exim-distros 2026-05-29 14:00 UTC Public release -- Heiko Schlittermann On behalf of the Exim Maintainers
signature.asc
Description: PGP signature
