cbcvebase.
CVE-2017-16944
published 2017-11-25

CVE-2017-16944: The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack…

PriorityP264high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
63.32%
99.1th percentile
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.

Affected

4 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianexim4< exim4 4.89-13 (bookworm)exim4 4.89-13 (bookworm)
eximexim
eximexim

Detection & IOCsextracted from sources · hover to see the quote

commandEHLO localhost MAIL FROM: RCPT TO: BDAT 10 . BDAT 0
commandEHLO localhost MAIL FROM: RCPT TO: BDAT 100 . MAIL FROM: RCPT TO: BDAT 0 LAST
  • Detect the exploit pattern: a BDAT command followed by a lone '.' (dot-only chunk) and then another BDAT command in the same SMTP session. The '.' triggers an incorrect state transition in receive_getc/bdat_getc, leading to an infinite loop or stack exhaustion.
  • Monitor Exim SMTP daemon processes for infinite loops or stack exhaustion (signal 11 / SIGSEGV core dump) following BDAT command sequences, which indicates exploitation of the bdat_getc infinite loop.
  • Alert on Exim processes that persist and consume CPU after an SMTP connection is closed — a resource-based DoS indicator where the process enters an infinite loop without crashing.
  • Flag SMTP sessions targeting Exim 4.88 or 4.89 that issue multiple BDAT commands with a lone '.' as the entire chunk body, as this is the specific trigger sequence for CVE-2017-16944.
  • ·This vulnerability only affects Exim versions 4.88 and 4.89. Exim installations on other versions are not affected. Red Hat Enterprise Linux 5 ships a non-affected version.
  • ·The vulnerability is exploitable only when the BDAT (CHUNKING) SMTP extension is in use. Deployments with CHUNKING disabled are not affected by this specific code path.
  • ·Debian fixed this in exim package version 4.89-13 across all supported releases (bookworm, bullseye, forky, sid, trixie). Ensure patched package is deployed.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.