Skip to main content
Mallory
Back to vulnerabilities
Medium

Exim PROXY Protocol Pre-Authentication Uninitialized Stack Memory Disclosure

IdentifiersCVE-2026-48840CWE-457

CVE-2026-48840 is a pre-authentication information disclosure vulnerability in Exim’s PROXY protocol parser affecting Exim 4.88 through 4.99.3, fixed in 4.99.4. The flaw is in proxy_protocol(), where a stack union used to store parsed PROXYv2 address data is left uninitialized. For PROXYv2 frames, Exim validated only that the declared payload length did not exceed the size of the union, but did not enforce the minimum payload length required for the claimed address family. As a result, a malformed PROXYv2 header with an undersized payload can cause Exim to read and format uninitialized stack bytes as a source address. The documented cases include TCPv6 (family 0x21), where len=0 can lead to disclosure of 16 bytes from hdr.v2.addr.ip6.src_addr, and TCPv4 (family 0x11), where too-short lengths can disclose 4 bytes. The leaked bytes are converted with inet_ntop into an IP string and exposed to the client in the SMTP greeting/banner during pre-authentication processing.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation discloses uninitialized stack memory to an unauthenticated client before SMTP authentication. The primary observed leak is up to 16 bytes for the IPv6 path and 4 bytes for the IPv4 path. Advisory material states the leaked data can include live userspace virtual address pointers, making the issue useful as an ASLR-bypass primitive and as a chain component for further exploitation. By itself, the vulnerability is an information disclosure issue rather than direct code execution.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, disable PROXY protocol parsing on affected listeners by unsetting hosts_proxy, or strictly limit hosts_proxy to exact trusted load balancer or proxy IPs rather than broad CIDR ranges. Restrict or filter untrusted PROXYv2 traffic so only trusted upstream proxies can reach the PROXY-enabled listener. Deployments whose Exim builds do not include SUPPORT_PROXY are not affected.

Remediation

Patch, then assume compromise.

Upgrade Exim to 4.99.4 or later. Vendor fixes add minimum-length validation for PROXYv2 address payloads before the union fields are accessed, including requiring at least 12 bytes for TCPv4 and 36 bytes for TCPv6, and rejecting malformed frames with proxyfail. Where distribution packages are used, apply the vendor-provided fixed packages; Debian advisory data indicates fixed versions including 4.96-15+deb12u10 for bookworm and 4.98.2-1+deb13u3 for trixie.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
DebianExim4application
EximEximapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
opennet ruNews
May 19, 2026
���������� Exim 4.99.4 � ����������� ����������, ���������� � ������ ������

A long-standing Exim vulnerability affecting the SMTP service, reachable pre-authentication and tied to IPv6/SMTP Hello handling in builds using hosts_proxy with SUPPORT_PROXY enabled.

Read more
opennetNews
May 19, 2026
���������� Exim 4.99.4 � ����������� ����������, ���������� � ������ ������

An information disclosure vulnerability in Exim affecting SMTP handling when PROXY protocol support is enabled, allowing leakage of up to 16 bytes of uninitialized memory and potentially weakening protections such as ASLR.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-48840
NVD
nvd.nist.gov/vuln/detail/CVE-2026-48840
MITRE CWE · CWE-457
cwe.mitre.org
Vendor Advisory
exim.org/static/doc/security/EXIM-Security-2026-05-19.1
Mitigation
openwall.com/lists/oss-security/2026/05/29/3
Mitigation
openwall.com/lists/oss-security/2026/05/29/3