cbcvebase.
CVE-2020-28017
published 2021-05-06

CVE-2020-28017: Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
36.07%
98.3th percentile
Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianexim4< exim4 4.94.2-1 (bookworm)exim4 4.94.2-1 (bookworm)
eximexim< 4.94.14.94.1

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2020-28017 affects all Exim versions before 4.94.2; the vulnerable function is receive_add_recipient, triggered by an email message with an extremely large number of recipients (fifty million), causing an integer overflow leading to buffer overflow.
  • CVE-2020-28017 affects all Exim versions going back to 2004 (the beginning of its Git history); any Exim instance older than 4.94.2 should be considered vulnerable.
  • Use asset inventory queries to identify exposed Exim servers for prioritized patching and detection coverage.
  • ·Remote exploitation of CVE-2020-28017 is considered difficult due to the resource consumption required to send fifty million recipients in a single email message.
  • ·The Debian security tracker scopes this vulnerability as 'local', further reinforcing that practical remote exploitation is constrained.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.