Debian issued two separate security advisories that address serious flaws within the exim4 mail transport agent. Attackers could exploit these weaknesses to run malicious code remotely, crash systems through denial of service attacks, or steal confidential information. Official patches are now available for Debian GNU/Linux 11 (Bullseye) LTS, 12 (Bookworm), and 13 (Trixie), with specific version numbers listed for each distribution. System owners must upgrade their packages immediately to close these dangerous security gaps before attackers can cause damage.

[DLA 4580-1] exim4 security update
[DSA 6265-1] exim4 security update

[SECURITY] [DLA 4580-1] exim4 security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4580-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
May 12, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : exim4
Version : 4.94.2-7+deb11u5
CVE ID : no number assigned yet

A vulnerability has been discovered in the Exim mail transport
agent, which may result in remote code execution.

For Debian 11 bullseye, this problem has been fixed in version
4.94.2-7+deb11u5.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/exim4

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6265-1] exim4 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6265-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 12, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : exim4
CVE ID : CVE-2026-40684 CVE-2026-40685 CVE-2026-40686 CVE-2026-40687

Several vulnerabilities were discovered in the Exim mail transport
agent, which may result in remote code execution, denial of service or
an information leak.

For the oldstable distribution (bookworm), these problems have been fixed
in version 4.96-15+deb12u9.

For the stable distribution (trixie), these problems have been fixed in
version 4.98.2-1+deb13u2.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/exim4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/