CVE-2026-40687: In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-
mediumvulnerability
security
Summary
CVE-2026-40687 is a vulnerability in Exim email software (before version 4.99.2) where the SPA authentication driver (a method for verifying user identity) can be exploited with a malicious SPA resource to cause an out-of-bounds write (writing data to memory locations outside the intended area), which crashes the email connection or exposes uninitialized heap memory data (unused memory that may contain sensitive information).
Vulnerability Details
CVSS Score
4.8(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
network
Attack Complexity
high
Privileges Required
none
User Interaction
none
Disclosure Date
April 30, 2026
Classification
Attack SophisticationModerate
Taxonomy References
CWE (Weakness Type)
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-40687
First tracked: May 1, 2026 at 02:07 AM
Classified by LLM (prompt v3) · confidence: 95%