Back to CVE Browser

CVE-2010-4344

Known Exploited (CISA KEV)CRITICAL

9.8

CVSS Severity Score

EPSS Score82.0680%

EPSS Percentile86.90th

PublishedDec 14, 2010

Last ModifiedApr 21, 2026

Vulnerability Description

Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.

Affected Platforms (CPE)

📦

Exim

Exim

< 4.70

💻

Opensuse

Opensuse

= 11.1

💻

Opensuse

Opensuse

= 11.2

💻

Opensuse

Opensuse

= 11.3

💻

Debian

Debian Linux

= 5.0

💻

Canonical

Ubuntu Linux

= 6.06

💻

Canonical

Ubuntu Linux

= 8.04

💻

Canonical

Ubuntu Linux

= 9.10

References & Advisories

🔗 ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.70

🔗 http://atmail.com/blog/2010/atmail-6204-now-available/

🔗 http://bugs.exim.org/show_bug.cgi?id=787

🔗 http://git.exim.org/exim.git/commit/24c929a27415c7cfc7126c47e4cad39acf3efa6b

🔗 http://lists.exim.org/lurker/message/20101210.164935.385e04d0.en.html

🔗 http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00003.html

🔗 http://openwall.com/lists/oss-security/2010/12/10/1

🔗 http://secunia.com/advisories/40019

Related Vulnerabilities

CVE-2019-101499.8

A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function...

CVE-2019-139179.8

Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort }...

CVE-2019-158469.8

Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.

CVE-2019-169289.8

Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer...