From andrew.fasano Sat Nov 22 02:40:13 2025 I'm writing to disclose two security vulnerabilities in Exim 4.99's SQLite hints database implementation. One is related to the recently patched CVE-2025-26794 (SQL injection), but the fix doesn't fully address the issue. I've also discovered a new heap buffer overflow vulnerability in the same code path. In vulnerable configurations, a remote, unauthenticated attacker can achieve heap corruption. I was unable to develop an end-to-end exploit chain for remote code execution, but it may be possible with further work. I'm reporting this to you immediately upon discovery so you can assess and remediate. ================================================================================ OVERVIEW ================================================================================ Two distinct vulnerabilities exist in the SQLite hints database code: 1. Incomplete SQL injection fix - CVE-2025-26794's patch doesn't escape single quotes 2. Heap buffer overflow - Unvalidated database field used as array bound (NEW) IMPORTANT: Only specific ratelimit configurations expose these vulnerabilities. ================================================================================ VULNERABILITY #1: SQL INJECTION VIA RATELIMIT KEY (SAME ROOT CAUSE AS CVE-2025-26794) ================================================================================ Related to: CVE-2025-26794 (same vulnerable code, different attack vector) CWE: CWE-89 see Link for more infos: https://code.exim.org/exim/exim/src/branch/exim-4.99+fixes/doc/doc-txt/exim-security-2025-12-09.1/report.txt Reproducible: Always
if it wasn't clear: REMOTE CODE EXECUTION via SQLITE Module.
IMHO 4.99.1 should fix it, please correct me if I am wrong.
FEDORA-2026-223569b08a (exim-4.99.1-1.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2026-223569b08a
FEDORA-2026-aab8eaa2e3 (exim-4.99.1-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2026-aab8eaa2e3
FEDORA-EPEL-2026-46c186c902 (exim-4.99.1-1.el10_2) has been submitted as an update to Fedora EPEL 10.2. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-46c186c902
FEDORA-EPEL-2026-b2e37e7d22 (exim-4.99.1-1.el9) has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-b2e37e7d22
FEDORA-EPEL-2026-a0fad994eb (exim-4.99.1-1.el8) has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-a0fad994eb
FEDORA-EPEL-2026-b2e37e7d22 has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-b2e37e7d22 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2026-a0fad994eb has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-a0fad994eb See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-223569b08a has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-223569b08a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-223569b08a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2026-46c186c902 has been pushed to the Fedora EPEL 10.2 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-46c186c902 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-aab8eaa2e3 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-aab8eaa2e3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-aab8eaa2e3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2026-b2e37e7d22 (exim-4.99.1-1.el9) has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2026-a0fad994eb (exim-4.99.1-1.el8) has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2026-46c186c902 (exim-4.99.1-1.el10_2) has been pushed to the Fedora EPEL 10.2 stable repository. If problem still persists, please make note of it in this bug report.