Critical Information Disclosure Vulnerability in Exim Affects Fedora 43 and 44
Severity: Medium (Score: 57.8)
Sources: Linuxsecurity
Published: · Updated:
Keywords: disclosure, cve-2026-48840, resolves, information, fedora, exim, cve-2026
Severity indicators: closure, CVE:CVE-2026-48840
Summary
A pre-authentication information disclosure vulnerability (CVE-2026-48840) has been identified in Exim, affecting Fedora versions 43 and 44. The vulnerability allows attackers to exploit mishandled short payloads in proxy configurations, potentially leading to sensitive information exposure. The flaw was published on May 30, 2026, and has been addressed in the latest Exim version 4.99.4, released on June 1, 2026. Users are advised to update their systems using the 'dnf' update program to mitigate the risk. The vulnerability impacts all Fedora users running affected versions of Exim. The updates resolve the issues tracked under bug reports rhbz#2483300 and rhbz#2476497. As of now, there are no reports of active exploitation, but the nature of the vulnerability poses a significant risk. Key Points: • CVE-2026-48840 allows information disclosure via Exim in Fedora 43 and 44. • The vulnerability is due to mishandled short payloads in proxy configurations. • Users are urged to upgrade to Exim version 4.99.4 to mitigate risks.
Detailed Analysis
**Impact** Fedora 43 and 44 users running Exim mail server versions prior to 4.99.4 are affected by a pre-authentication information disclosure vulnerability (CVE-2026-48840). The vulnerability allows unauthorized actors to access sensitive information via mishandled short payloads in proxy configurations. The scope includes all Fedora systems using vulnerable Exim versions, potentially impacting organizations relying on these distributions for mail services. No specific sectors, geographies, or data volumes are detailed in the sources. **Technical Details** The vulnerability (CVE-2026-48840) involves information disclosure through mishandled short payloads in Exim proxy configurations, exploitable without authentication. The affected Exim versions are prior to 4.99.4, with fixes released on June 1, 2026. No malware, additional tools, or infrastructure details are provided. The attack targets the reconnaissance and information gathering stages of the kill chain. No indicators of compromise (IOCs) are mentioned. **Recommended Response** Apply the Exim update version 4.99.4 or later immediately using the Fedora "dnf" package manager with advisories FEDORA-2026-71b1e9b455 for Fedora 43 and FEDORA-2026-78bf093219 for Fedora 44. Monitor mail server logs for unusual proxy payload activity and validate proxy configurations to prevent mishandling of short payloads. No additional detection signatures or IOCs are provided at this time.
Source articles (2)
- Fedora 44 Exim Critical Information Disclosure CVE-2026 — Linuxsecurity · 2026-06-10
This is an update fixing a pre-authentication information disclosure (CVE-2026-48840). * Mon Jun 1 2026 Jaroslav Škarvada - 4.99.4-1 - New version Resolves: rhbz#2483300 Resolves: CVE-2026-48840 * Mon… - Fedora 43 Exim Important Info Disclosure CVE-2026 — Linuxsecurity · 2026-06-10
This is an update fixing a pre-authentication information disclosure (CVE-2026-48840). * Mon Jun 1 2026 Jaroslav Škarvada - 4.99.4-1 - New version Resolves: rhbz#2483300 Resolves: CVE-2026-48840 * Mon…
Timeline
- 2026-05-30 — CVE-2026-48840 published: A pre-authentication information disclosure vulnerability in Exim was disclosed, affecting Fedora systems.
- 2026-06-01 — Exim version 4.99.4 released: The new version addresses CVE-2026-48840 and other bugs, resolving critical vulnerabilities.
- 2026-06-10 — Advisories published for Fedora 43 and 44: Linuxsecurity published advisories urging users to update to the latest Exim version to prevent information disclosure.
CVEs
Related entities
- Data Breach (Attack Type)
- CWE-200 - Exposure of Sensitive Information (Cwe)
- Fedora (Company)
- Linux (Platform)