Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <fxbuuizw5bvmsoafd2rn7ntruzq2yhw7fw3ptvbabxaguozgyv@iwyrf7ed3kgq>
Date: Fri, 29 May 2026 16:38:57 +0200
From: Heiko Schlittermann <hs@...marc.schlittermann.de>
To: oss-security@...ts.openwall.com
Cc: exim-announce@...ts.exim.org, exim-users@...ts.exim.org
Subject: CVE-2026-48840: Exim 4.99.4: PROXY-protocol uninitialised-stack
 information disclosure

Dear Exim users,

The Exim maintainers are releasing a security fix for CVE-2026-48840.

Identifier:   EXIM-Security-2026-05-19.1 (CVE-2026-48840)
Type:         pre-authentication information disclosure
Component:    Exim
Affects:      4.88 (2017) through the current 4.99.3 release
Corrected in: Exim 4.99.4 (exim-4.99.4)
Credit:       Warisjeet Singh (sin99xx)

Vulnerability Details
---------------------

proxy_protocol() declares hdr as an uninitialised stack union.  For a
PROXYv2 frame, the only length guard is an upper bound: the frame size
must not exceed sizeof(hdr).  No lower bound is checked.

A frame with address family 0x21 (TCPv6) and len=0 sets the read size
to 16, causing the read loop to copy exactly 0 bytes into the union.
The TCPv6 dispatch arm then unconditionally calls:

  memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16)

copying 16 uninitialised stack bytes into tmpip6, which inet_ntop
formats as an IPv6 address string.  That string is written to
sender_host_address and emitted in the SMTP greeting banner:

  250 hostname Hello probe [::68ef:38ad:ffff:0]

The same defect affects family 0x11 (TCPv4) with len < 12 (4 leaked
bytes instead of 16).

The leaked bytes track ASLR entropy across daemon restarts and are
confirmed to be live userspace VA pointers, making this an
ASLR-defeat primitive usable as a chain component.

Fix: add minimum-length checks per address family (12 bytes for
TCPv4/0x11, 36 bytes for TCPv6/0x21) before the union is accessed.
Frames that fail the check are rejected with proxyfail, consistent
with all other malformed-frame handling in the function.

Reported by Warisjeet Singh (sin99xx).  Tested on aarch64 Linux;
architecture-independent (only leaked content varies).


Affected Configurations
-----------------------

Exim compiled with SUPPORT_PROXY (default in Debian, Ubuntu,
RHEL/Fedora packages) and hosts_proxy set to a non-empty value.
The attacker's source IP must match hosts_proxy, or the attacker
must be able to reach the port that expects a PROXY header through
a host already in hosts_proxy.


Mitigations
-----------

- Narrow hosts_proxy to the exact load-balancer IPs (not a CIDR superset).
- Unset hosts_proxy entirely to disable PROXY-protocol parsing on the affected listener.

Resolution
----------

Upgrade to Exim 4.99.4.  The fix is on branch exim-4.99+fixes,
tag exim-4.99.4, signed by Heiko Schlittermann (HS12-RIPE) <hs@...littermann.de>,
key 0xDD98D92359DE9E3C2663F291697F0EDD68099F6F.

Downloads
---------

  https://ftp.exim.org/pub/exim/exim4/
  https://code.exim.org/exim/exim/releases

Advisory
--------

  https://www.exim.org/static/doc/security/EXIM-Security-2026-05-19.1/

Timeline
--------

  2026-05-19 12:35 UTC  Report received from Warisjeet Singh (sin99xx)
  2026-05-19 13:26 UTC  Acknowledgement sent to reporter
  2026-05-19 14:06 UTC  Root cause confirmed; fix drafted
  2026-05-25 13:30 UTC  CVE request submitted to Mitre via cveform.mitre.org
  2026-05-25 17:57 UTC  CVE-2026-48840 assigned by MITRE
  2026-05-26 00:41 UTC  Advance notice (distro-pre.txt) sent to distros@...openwall.org
  2026-05-26 00:47 UTC  Advance notice sent to exim-maintainers@...ts.exim.org
  2026-05-27 14:00 UTC  Fix branch and tag exim-4.99.4 pushed to exim-distros
  2026-05-29 14:00 UTC  Public release

-- 
Heiko Schlittermann
On behalf of the Exim Maintainers

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.