A new security release, Exim 4.99.1, has been made available to address a critical vulnerability identified as CVE-2025-67896. This vulnerability affects Exim versions starting at 4.99 and may also impact older versions that are no longer maintained. The good news is that installing version 4.99.1 on up-to-date systems like Exim 4.99 or newer will fix the issue. Users can obtain the updated software through various means, including a tarball from the FTP server or by accessing the code repository directly.

Exim 4.99.1 released

A new security release of Exim 4.99.1 has been made available to address a critical vulnerability, identified as CVE-2025-67896 (also known as EXIM-Security-2025-12-09.1). The vulnerability, CVE-2025-67896, affects Exim starting from version 4.99 and may also impact older versions, which are seldom maintained.

Although we cannot confirm the severity of this vulnerability across all outdated systems, we recommend users who may still be using them to remain vigilant or at least understand its implications. The Exim team has released a report detailing everything concerning this security fix online: you can find it here.

Now, if you're using an up-to-date system like Exim 4.99 or newer, the good news is that installing version 4.99.1 will fix it for you.

Specifically speaking, this bug seems to impact systems where SQLite is being used for certain types of database lookups within Exim, as well as hintdb operations, though I'm not sure if everyone using older lookup methods would be affected exactly the same way.

And what about getting your hands on this updated software? You have the usual options at your disposal. You can grab it via a simple tarball from their FTP server, which is where you'll find the release.

Alternatively, if you're already working with their code repository or just prefer that way of things, it's also located directly here. For the more advanced crowd who like Git tags for tracking releases specifically, 4.99.1 is marked as exim-4.99.1 on their repository page.