Vulnerability Description
Exim before 4.99.1, with certain non-default rate-limit configurations, allows a remote heap-based buffer overflow because database records are cast directly to internal structures without validation.
CVSS Score
7.0
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Exim | Exim | < 4.99.1 |
Related Weaknesses (CWE)
References
- https://exim.org/static/doc/security/Vendor Advisory
- https://exim.org/static/doc/security/EXIM-Security-2025-12-09.1/report.txtVendor Advisory
- https://www.openwall.com/lists/oss-security/2025/12/11/2Mailing List
- http://www.openwall.com/lists/oss-security/2025/12/14/1Mailing List
- http://www.openwall.com/lists/oss-security/2025/12/18/3Mailing List
FAQ
What is CVE-2025-67896?
CVE-2025-67896 is a vulnerability with a CVSS score of 7.0 (HIGH). Exim before 4.99.1, with certain non-default rate-limit configurations, allows a remote heap-based buffer overflow because database records are cast directly to internal structures without validation.
How severe is CVE-2025-67896?
CVE-2025-67896 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-67896?
Check the references section above for vendor advisories and patch information. Affected products include: Exim Exim.