CVE ID: CVE-2019-16928
Date: 2019-09-27 (CVE assigned)
Version(s): from 4.92 up to and including 4.92.2
Reporter: QAX-A-TEAM <firstname.lastname@example.org>
Issue: Heap-based buffer overflow in string_vformat,
remote code execution seems to be possible
Conditions to be vulnerable
All versions from (and including) 4.92 up to (and including) 4.92.2 are
There is a heap-based buffer overflow in string_vformat (string.c).
The currently known exploit uses a extraordinary long EHLO string to
crash the Exim process that is receiving the message. While at this
mode of operation Exim already dropped its privileges, other paths to
reach the vulnerable code may exist.
There is - beside updating the server - no known mitigation.
Download and build the fixed version 4.92.3
- tag exim-4.92.3
- branch exim-4.92.3+fixes
The tagged commit is the officially released version. The +fixes branch
isn't officially maintained, but contains the security fix *and* useful
If you can't install the above versions, ask your package maintainer for
a version containing the backported fix. On request and depending on our
resources we will support you in backporting the fix. (Please note,
the Exim project officially doesn't support versions prior the current