Debian Exim4 vulnerabilities
62 known vulnerabilities affecting debian/exim4.
Total CVEs
62
CISA KEV
5
actively exploited
Public exploits
10
Exploited in wild
7
Severity breakdown
CRITICAL16HIGH26MEDIUM11LOW9
Vulnerabilities
Page 2 of 4
CVE-2019-13917P2CRITICALCVSS 9.8fixed in exim4 4.92-10 (bookworm)2019
CVE-2019-13917 [CRITICAL] CVE-2019-13917: exim4 - Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in...
Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).
Scope: local
bookworm: resolved (fixed in 4.92-10)
bullseye: resolved (fixed in 4.92-10)
forky: resolved (fixed in 4.92-10)
sid: resolved (fixed
debian
CVE-2020-28020P2CRITICALCVSS 9.8fixed in exim4 4.92~RC5-1 (bookworm)2020
CVE-2020-28020 [CRITICAL] CVE-2020-28020: exim4 - Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unaut...
Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header-length restriction.
Scope: local
bookworm: resolved (fixed in 4.92~RC5-1)
bullseye: resolved (fixed in 4.92~RC5-1)
forky: resolved (fixed in 4.92~RC5-1)
sid: resolved
debian
CVE-2020-28021P3HIGHCVSS 8.8fixed in exim4 4.94.2-1 (bookworm)2020
CVE-2020-28021 [HIGH] CVE-2020-28021: exim4 - Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenti...
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command.
Scope: local
bookworm: resolved (fixed in 4.94.2-1)
bullseye: resolved (fixed in 4.94.2-1)
forky: resolved (fixed in 4.94.2-1
debian
CVE-2025-67896P3LOWCVSS 7.0fixed in exim4 4.99-7 (forky)2025
CVE-2025-67896 [HIGH] CVE-2025-67896: exim4 - Exim before 4.99.1, with certain non-default rate-limit configurations, allows a...
Exim before 4.99.1, with certain non-default rate-limit configurations, allows a remote heap-based buffer overflow because database records are cast directly to internal structures without validation.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 4.99-7)
sid: resolved (fixed in 4.99-7)
trixie: resolved
debian
CVE-2005-0021P3HIGHCVSS 7.2PoCfixed in exim4 4.34-10 (bookworm)2005
CVE-2005-0021 [HIGH] CVE-2005-0021: exim4 - Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arb...
Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.
Scop
debian
CVE-2020-28022P3CRITICALCVSS 9.8fixed in exim4 4.94.2-1 (bookworm)2020
CVE-2020-28022 [CRITICAL] CVE-2020-28022: exim4 - Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bou...
Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer. This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands.
Scope: local
bookworm: resolved (fixed in 4.94.2-1)
bullseye: resolved (fixed in 4.94.2-1)
forky: resolved (fixed in 4.94.2-1)
sid: resolved (fixed in 4.94.2-1)
trixie: resolved
debian
CVE-2022-37452P3CRITICALCVSS 9.8fixed in exim4 4.94.2-5 (bookworm)2022
CVE-2022-37452 [CRITICAL] CVE-2022-37452: exim4 - Exim before 4.95 has a heap-based buffer overflow for the alias list in host_nam...
Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.
Scope: local
bookworm: resolved (fixed in 4.94.2-5)
bullseye: resolved (fixed in 4.94.2-5)
forky: resolved (fixed in 4.94.2-5)
sid: resolved (fixed in 4.94.2-5)
trixie: resolved (fixed in 4.94.2-5)
debian
CVE-2002-1381P4HIGHCVSS 7.2PoCfixed in exim4 4.11-0.0.1 (bookworm)2002
CVE-2002-1381 [HIGH] CVE-2002-1381: exim4 - Format string vulnerability in daemon.c for Exim 4.x through 4.10, and 3.x throu...
Format string vulnerability in daemon.c for Exim 4.x through 4.10, and 3.x through 3.36, allows exim administrative users to execute arbitrary code by modifying the pid_file_path value.
Scope: local
bookworm: resolved (fixed in 4.11-0.0.1)
bullseye: resolved (fixed in 4.11-0.0.1)
forky: resolved (fixed in 4.11-0.0.1)
sid: resolved (fixed in 4.11-0.0.1)
trixie: resolved
debian
CVE-2020-12783P3HIGHCVSS 7.5fixed in exim4 4.93-16 (bookworm)2020
CVE-2020-12783 [HIGH] CVE-2020-12783: exim4 - Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could ...
Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c.
Scope: local
bookworm: resolved (fixed in 4.93-16)
bullseye: resolved (fixed in 4.93-16)
forky: resolved (fixed in 4.93-16)
sid: resolved (fixed in 4.93-16)
trixie: resolved (fixed in 4.93-16)
debian
CVE-2022-3620P3LOWCVSS 5.6fixed in exim4 4.96-7 (bookworm)2022
CVE-2022-3620 [MEDIUM] CVE-2022-3620: exim4 - A vulnerability was found in Exim and classified as problematic. This issue affe...
A vulnerability was found in Exim and classified as problematic. This issue affects the function dmarc_dns_lookup of the file dmarc.c of the component DMARC Handler. The manipulation leads to use after free. The attack may be initiated remotely. The name of the patch is 12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445. It is recommended to apply a patch to fix this issue. The
debian
CVE-2024-39929P3MEDIUMCVSS 5.4fixed in exim4 4.96-15+deb12u5 (bookworm)2024
CVE-2024-39929 [MEDIUM] CVE-2024-39929: exim4 - Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus rem...
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.
Scope: local
bookworm: resolved (fixed in 4.96-15+deb12u5)
bullseye: resolved (fixed in 4.94.2-7+deb11u3)
forky: resolved (fixe
debian
CVE-2023-42114P3MEDIUMCVSS 5.3fixed in exim4 4.96-15+deb12u2 (bookworm)2023
CVE-2023-42114 [MEDIUM] CVE-2023-42114: exim4 - Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability. Thi...
Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NTLM challenge requests. The issue results from the lack of proper va
debian
CVE-2011-1407P3HIGHCVSS 7.5fixed in exim4 4.76-1 (bookworm)2011
CVE-2011-1407 [HIGH] CVE-2011-1407: exim4 - The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM ident...
The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM identities to apply to lookup items, instead of only strings, which allows remote attackers to execute arbitrary code or access a filesystem via a crafted identity.
Scope: local
bookworm: resolved (fixed in 4.76-1)
bullseye: resolved (fixed in 4.76-1)
forky: resolved (fixed in 4.76-1)
sid: resolv
debian
CVE-2014-2957P3LOWCVSS 6.8fixed in exim4 4.82.1-1 (bookworm)2014
CVE-2014-2957 [MEDIUM] CVE-2014-2957: exim4 - The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_D...
The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled, allows remote attackers to execute arbitrary code via the From header in an email, which is passed to the expand_string function.
Scope: local
bookworm: resolved (fixed in 4.82.1-1)
bullseye: resolved (fixed in 4.82.1-1)
forky: resolved (fixed in 4.82.1-1)
sid: resolved (f
debian
CVE-2021-38371P3HIGHCVSS 7.5fixed in exim4 4.95~RC2-1 (bookworm)2021
CVE-2021-38371 [HIGH] CVE-2021-38371: exim4 - The STARTTLS feature in Exim through 4.94.2 allows response injection (buffering...
The STARTTLS feature in Exim through 4.94.2 allows response injection (buffering) during MTA SMTP sending.
Scope: local
bookworm: resolved (fixed in 4.95~RC2-1)
bullseye: resolved (fixed in 4.94.2-7+deb11u4)
forky: resolved (fixed in 4.95~RC2-1)
sid: resolved (fixed in 4.95~RC2-1)
trixie: resolved (fixed in 4.95~RC2-1)
debian
CVE-2020-28007P3HIGHCVSS 7.8fixed in exim4 4.94.2-1 (bookworm)2020
CVE-2020-28007 [HIGH] CVE-2020-28007: exim4 - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim ...
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem.
Scope: local
bookworm: resolved (fixed in 4.94.2-1)
bullseye: resolved (fixed in 4.94.2-1)
forky: resolved (fixed in 4.94
debian
CVE-2020-28008P3HIGHCVSS 7.8fixed in exim4 4.94.2-1 (bookworm)2020
CVE-2020-28008 [HIGH] CVE-2020-28008: exim4 - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim ...
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution.
Scope: local
bookworm: resolved (fixed in 4.94.2-1)
bullseye: resolved (fi
debian
CVE-2011-1764P3HIGHCVSS 7.5fixed in exim4 4.75-3 (bookworm)2011
CVE-2011-1764 [HIGH] CVE-2011-1764: exim4 - Format string vulnerability in the dkim_exim_verify_finish function in src/dkim....
Format string vulnerability in the dkim_exim_verify_finish function in src/dkim.c in Exim before 4.76 might allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in data used in DKIM logging, as demonstrated by an identity field containing a % (percent) character.
Scope: local
bookworm: resolved (fixed
debian
CVE-2025-30232P3HIGHCVSS 8.1fixed in exim4 4.96-15+deb12u7 (bookworm)2025
CVE-2025-30232 [HIGH] CVE-2025-30232: exim4 - A use-after-free in Exim 4.96 through 4.98.1 could allow users (with command-lin...
A use-after-free in Exim 4.96 through 4.98.1 could allow users (with command-line access) to escalate privileges.
Scope: local
bookworm: resolved (fixed in 4.96-15+deb12u7)
bullseye: resolved
forky: resolved (fixed in 4.98.1-2)
sid: resolved (fixed in 4.98.1-2)
trixie: resolved (fixed in 4.98.1-2)
debian
CVE-2022-3559P3MEDIUMCVSS 4.6fixed in exim4 4.96-4 (bookworm)2022
CVE-2022-3559 [MEDIUM] CVE-2022-3559: exim4 - A vulnerability was found in Exim and classified as problematic. This issue affe...
A vulnerability was found in Exim and classified as problematic. This issue affects some unknown processing of the component Regex Handler. The manipulation leads to use after free. The name of the patch is 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2. It is recommended to apply a patch to fix this issue. The identifier VDB-211073 was assigned to this vulnerability.
Scope
debian