{"id":"USN-8382-1","summary":"exim4 vulnerabilities","details":"Timo Longin discovered that Exim incorrectly handled certain SMTP messages\nin PIPELINING/CHUNKING configurations. A remote attacker could possibly use\nthis issue to perform SMTP smuggling. This issue only affected Ubuntu\n14.04 LTS. (CVE-2023-51766)\n\nIt was discovered that Exim incorrectly handled certain malformed JSON\ndata in headers. A remote attacker could possibly use this issue to crash\nExim, resulting in a denial of service, or execute arbitrary code. This\nissue only affected Ubuntu 20.04 LTS. (CVE-2026-40685)\n\nIt was discovered that Exim incorrectly handled certain malformed UTF-8\nheaders. A remote attacker could possibly use this issue to obtain\nsensitive information. This issue only affected Ubuntu 20.04 LTS.\n(CVE-2026-40686)\n\nIt was discovered that Exim incorrectly handled certain SPA resources.\nA remote attacker could possibly use this issue to crash Exim, resulting in\na denial of service, or obtain sensitive information. This issue only\naffected Ubuntu 20.04 LTS. (CVE-2026-40687)\n\nIt was discovered that Exim incorrectly handled certain CHUNKING\ntransfers in some GnuTLS configurations. A remote attacker could possibly\nuse this issue to crash Exim, resulting in a denial of service, or execute\narbitrary code. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-45185)\n\nWarisjeet Singh discovered that Exim incorrectly handled certain proxy\nconnections in builds with proxy support enabled. A remote attacker could\npossibly use this issue to obtain sensitive information. This issue only\naffected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.\n(CVE-2026-48840)","modified":"2026-06-04T02:18:10.818665128Z","published":"2026-06-03T16:29:23Z","related":["UBUNTU-CVE-2023-51766","UBUNTU-CVE-2026-40685","UBUNTU-CVE-2026-40686","UBUNTU-CVE-2026-40687","UBUNTU-CVE-2026-45185","UBUNTU-CVE-2026-48840"],"upstream":["CVE-2023-51766","CVE-2026-40685","CVE-2026-40686","CVE-2026-40687","CVE-2026-45185","CVE-2026-48840","UBUNTU-CVE-2023-51766","UBUNTU-CVE-2026-40685","UBUNTU-CVE-2026-40686","UBUNTU-CVE-2026-40687","UBUNTU-CVE-2026-45185","UBUNTU-CVE-2026-48840"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8382-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-51766"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-40685"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-40686"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-40687"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-45185"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-48840"}],"affected":[{"package":{"name":"exim4","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/exim4?arch=source&distro=esm-infra-legacy%2Ftrusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.82-3ubuntu2.4+esm9"}]}],"versions":["4.80-7ubuntu3","4.80-7ubuntu4","4.80-9ubuntu1","4.80-9ubuntu2","4.82-3ubuntu1","4.82-3ubuntu2","4.82-3ubuntu2.1","4.82-3ubuntu2.2","4.82-3ubuntu2.3","4.82-3ubuntu2.4","4.82-3ubuntu2.4+esm1","4.82-3ubuntu2.4+esm2","4.82-3ubuntu2.4+esm3","4.82-3ubuntu2.4+esm4","4.82-3ubuntu2.4+esm6","4.82-3ubuntu2.4+esm7","4.82-3ubuntu2.4+esm8"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro","binaries":[{"binary_version":"4.82-3ubuntu2.4+esm9","binary_name":"exim4"},{"binary_version":"4.82-3ubuntu2.4+esm9","binary_name":"exim4-base"},{"binary_version":"4.82-3ubuntu2.4+esm9","binary_name":"exim4-config"},{"binary_version":"4.82-3ubuntu2.4+esm9","binary_name":"exim4-daemon-heavy"},{"binary_version":"4.82-3ubuntu2.4+esm9","binary_name":"exim4-daemon-light"},{"binary_version":"4.82-3ubuntu2.4+esm9","binary_name":"eximon4"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8382-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-51766"}],"ecosystem":"Ubuntu:Pro:14.04:LTS"}}},{"package":{"name":"exim4","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/exim4?arch=source&distro=esm-infra-legacy%2Fxenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.86.2-2ubuntu2.6+esm9"}]}],"versions":["4.86-3ubuntu1","4.86-7ubuntu1","4.86-7ubuntu2","4.86-7ubuntu3","4.86.2-2ubuntu1","4.86.2-2ubuntu2","4.86.2-2ubuntu2.1","4.86.2-2ubuntu2.2","4.86.2-2ubuntu2.3","4.86.2-2ubuntu2.4","4.86.2-2ubuntu2.5","4.86.2-2ubuntu2.6","4.86.2-2ubuntu2.6+esm1","4.86.2-2ubuntu2.6+esm2","4.86.2-2ubuntu2.6+esm4","4.86.2-2ubuntu2.6+esm5","4.86.2-2ubuntu2.6+esm6","4.86.2-2ubuntu2.6+esm7","4.86.2-2ubuntu2.6+esm8"],"ecosystem_specific":{"binaries":[{"binary_version":"4.86.2-2ubuntu2.6+esm9","binary_name":"exim4"},{"binary_version":"4.86.2-2ubuntu2.6+esm9","binary_name":"exim4-base"},{"binary_name":"exim4-config","binary_version":"4.86.2-2ubuntu2.6+esm9"},{"binary_version":"4.86.2-2ubuntu2.6+esm9","binary_name":"exim4-daemon-heavy"},{"binary_version":"4.86.2-2ubuntu2.6+esm9","binary_name":"exim4-daemon-light"},{"binary_name":"eximon4","binary_version":"4.86.2-2ubuntu2.6+esm9"}],"availability":"Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8382-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-48840"}],"ecosystem":"Ubuntu:Pro:16.04:LTS"}}},{"package":{"name":"exim4","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/exim4?arch=source&distro=esm-infra%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.90.1-1ubuntu1.10+esm6"}]}],"versions":["4.89-5ubuntu1","4.89-9ubuntu1","4.89-9ubuntu2","4.89-9ubuntu3","4.89-9ubuntu4","4.90.1-1ubuntu1","4.90.1-1ubuntu1.1","4.90.1-1ubuntu1.2","4.90.1-1ubuntu1.3","4.90.1-1ubuntu1.4","4.90.1-1ubuntu1.5","4.90.1-1ubuntu1.8","4.90.1-1ubuntu1.9","4.90.1-1ubuntu1.10","4.90.1-1ubuntu1.10+esm1","4.90.1-1ubuntu1.10+esm2","4.90.1-1ubuntu1.10+esm3","4.90.1-1ubuntu1.10+esm4","4.90.1-1ubuntu1.10+esm5"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_name":"exim4","binary_version":"4.90.1-1ubuntu1.10+esm6"},{"binary_version":"4.90.1-1ubuntu1.10+esm6","binary_name":"exim4-base"},{"binary_version":"4.90.1-1ubuntu1.10+esm6","binary_name":"exim4-config"},{"binary_version":"4.90.1-1ubuntu1.10+esm6","binary_name":"exim4-daemon-heavy"},{"binary_version":"4.90.1-1ubuntu1.10+esm6","binary_name":"exim4-daemon-light"},{"binary_version":"4.90.1-1ubuntu1.10+esm6","binary_name":"eximon4"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8382-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-48840"}],"ecosystem":"Ubuntu:Pro:18.04:LTS"}}},{"package":{"name":"exim4","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/exim4?arch=source&distro=esm-infra%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.93-13ubuntu1.12+esm1"}]}],"versions":["4.92.1-1ubuntu3","4.92.1-1ubuntu4","4.93~RC2-1ubuntu1","4.93-9ubuntu1","4.93-11ubuntu1","4.93-12ubuntu1","4.93-13ubuntu1","4.93-13ubuntu1.1","4.93-13ubuntu1.5","4.93-13ubuntu1.6","4.93-13ubuntu1.7","4.93-13ubuntu1.8","4.93-13ubuntu1.9","4.93-13ubuntu1.10","4.93-13ubuntu1.11","4.93-13ubuntu1.12"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_version":"4.93-13ubuntu1.12+esm1","binary_name":"exim4"},{"binary_name":"exim4-base","binary_version":"4.93-13ubuntu1.12+esm1"},{"binary_name":"exim4-config","binary_version":"4.93-13ubuntu1.12+esm1"},{"binary_version":"4.93-13ubuntu1.12+esm1","binary_name":"exim4-daemon-heavy"},{"binary_name":"exim4-daemon-light","binary_version":"4.93-13ubuntu1.12+esm1"},{"binary_version":"4.93-13ubuntu1.12+esm1","binary_name":"eximon4"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8382-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-40685"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-40686"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-40687"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"high","type":"Ubuntu"}],"id":"CVE-2026-45185"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-48840"}],"ecosystem":"Ubuntu:Pro:20.04:LTS"}}}],"schema_version":"1.7.5"}