A patch for the Exim 4.99.1 mail server has been published, fixing a vulnerability (CVE-2025-67896) that allows a remote attacker to corrupt out-of-bounds memory. This vulnerability could potentially be used for remote code execution on the server, but a working exploit has not yet been developed.
The vulnerability exists in the code for the internal SQLite-based database (Hints DB), which is used to store time information, message delivery status, and email sending rate data. The issue is caused by database records being directly converted to the internal "dbdata_ratelimit_unique" structure without proper validation. This occurs when a fixed 40-byte "bloom" array is created, and the contents of the "bloom_size" field, which determines the number of elements written to the array, depend on the size of the database data. An attacker could write beyond the allocated buffer by inserting data into the database (by exploiting another vulnerability) with the "bloom_size" field knowingly set to a value greater than the array size.
The issue affects Exim 4.99 and 4.98.2, and only affects configurations with the ratelimit ACL that use the "unique" or "per_addr" parameters (e.g., "warn ratelimit = 100 / 1h / per_addr / $sender_address" or "warn ratelimit = 100 / 1h / per_rcpt / unique=$sender_address"). Furthermore, to perform the attack, Exim must be compiled with SQLite support (USE_SQLITE=yes) enabled in the configuration file (hints_database = sqlite). In vulnerable configurations, running "exim -bV" results in the output "Hints DB: Using sqlite3".
Of the major distributions, problematic versions were used in Debian 13 Ubuntu 25.10, SUSE/openSUSE, Arch Linux, Fedora, and FreeBSD. RHEL and its derivatives are not affected by this issue, as Exim is not included in their standard package repositories (EPEL has not yet published an update to the Exim package).
A new vector for exploiting vulnerability CVE-2025-26794, fixed in the February release of Exim 4.98.1, has also been identified. The vulnerability allows for SQL substitution in the internal database (Hints DB). A previously added fix did not escape single quotes. An example of a MAIL FROM command leading to SQL substitution: "MAIL FROM:<«x'/**/UNION/**/SELECT/**/X' '—«@attacker.com>». This vulnerability can be used as a starting point to create the conditions for the buffer overflow described above.
Source: opennet.ru
