Bug 2423183

Summary: CVE-2025-26794 & CWE-122, CWE-787, CWE-843 in Exim 4.99
Product: [Fedora] Fedora Reporter: customercare
Component: eximAssignee: Jaroslav Škarvada <jskarvad>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: bennie.joubert, dwmw2, jskarvad, martin.fraenzl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://code.exim.org/exim/exim/src/branch/exim-4.99+fixes/doc/doc-txt/exim-security-2025-12-09.1/report.txt
Whiteboard:
Fixed In Version: exim-4.99.1-1.el9 exim-4.99.1-1.el8 exim-4.99.1-1.el10_2 exim-4.99.1-1.fc42 exim-4.99.1-1.fc43 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-01-12 00:27:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description customercare 2025-12-17 15:26:56 UTC 
From andrew.fasano Sat Nov 22 02:40:13 2025

I'm writing to disclose two security vulnerabilities in Exim 4.99's
SQLite hints database implementation. One is related to the recently patched
CVE-2025-26794 (SQL injection), but the fix doesn't fully address the issue.
I've also discovered a new heap buffer overflow vulnerability in the same
code path.

In vulnerable configurations, a remote, unauthenticated attacker can achieve
heap corruption. I was unable to develop an end-to-end exploit chain for
remote code execution, but it may be possible with further work. I'm reporting
this to you immediately upon discovery so you can assess and  remediate.

================================================================================
OVERVIEW
================================================================================

Two distinct vulnerabilities exist in the SQLite hints database code:

1. Incomplete SQL injection fix - CVE-2025-26794's patch doesn't escape
   single quotes

2. Heap buffer overflow - Unvalidated database field used as array bound (NEW)

IMPORTANT: Only specific ratelimit configurations expose these vulnerabilities.

================================================================================
VULNERABILITY #1: SQL INJECTION VIA RATELIMIT KEY (SAME ROOT CAUSE AS CVE-2025-26794)
================================================================================

Related to: CVE-2025-26794 (same vulnerable code, different attack vector)
CWE: CWE-89


see Link for more infos:

https://code.exim.org/exim/exim/src/branch/exim-4.99+fixes/doc/doc-txt/exim-security-2025-12-09.1/report.txt

Reproducible: Always
Comment 1 customercare 2025-12-17 15:27:41 UTC 
if it wasn't clear:

REMOTE CODE EXECUTION via SQLITE Module.
Comment 2 Jaroslav Škarvada 2026-01-03 19:49:40 UTC 
IMHO 4.99.1 should fix it, please correct me if I am wrong.
Comment 3 Fedora Update System 2026-01-03 20:13:56 UTC 
FEDORA-2026-223569b08a (exim-4.99.1-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-223569b08a
Comment 4 Fedora Update System 2026-01-03 20:14:37 UTC 
FEDORA-2026-aab8eaa2e3 (exim-4.99.1-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-aab8eaa2e3
Comment 5 Fedora Update System 2026-01-03 20:16:18 UTC 
FEDORA-EPEL-2026-46c186c902 (exim-4.99.1-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-46c186c902
Comment 6 Fedora Update System 2026-01-03 20:19:21 UTC 
FEDORA-EPEL-2026-b2e37e7d22 (exim-4.99.1-1.el9) has been submitted as an update to Fedora EPEL 9.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-b2e37e7d22
Comment 7 Fedora Update System 2026-01-03 20:29:39 UTC 
FEDORA-EPEL-2026-a0fad994eb (exim-4.99.1-1.el8) has been submitted as an update to Fedora EPEL 8.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-a0fad994eb
Comment 8 Fedora Update System 2026-01-04 01:08:51 UTC 
FEDORA-EPEL-2026-b2e37e7d22 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-b2e37e7d22

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2026-01-04 01:18:00 UTC 
FEDORA-EPEL-2026-a0fad994eb has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-a0fad994eb

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2026-01-04 01:20:09 UTC 
FEDORA-2026-223569b08a has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-223569b08a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-223569b08a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2026-01-04 01:27:24 UTC 
FEDORA-EPEL-2026-46c186c902 has been pushed to the Fedora EPEL 10.2 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-46c186c902

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 12 Fedora Update System 2026-01-04 01:55:08 UTC 
FEDORA-2026-aab8eaa2e3 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-aab8eaa2e3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-aab8eaa2e3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 13 Fedora Update System 2026-01-12 00:27:12 UTC 
FEDORA-EPEL-2026-b2e37e7d22 (exim-4.99.1-1.el9) has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 14 Fedora Update System 2026-01-12 00:36:22 UTC 
FEDORA-EPEL-2026-a0fad994eb (exim-4.99.1-1.el8) has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 15 Fedora Update System 2026-01-12 00:46:06 UTC 
FEDORA-EPEL-2026-46c186c902 (exim-4.99.1-1.el10_2) has been pushed to the Fedora EPEL 10.2 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 16 Fedora Update System 2026-01-20 01:37:28 UTC 
FEDORA-2026-aab8eaa2e3 (exim-4.99.1-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 17 Fedora Update System 2026-01-20 01:41:44 UTC 
FEDORA-2026-223569b08a (exim-4.99.1-1.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.