CVE-2019-16928

CRITICAL KEV

Exim < 4.92.2 - Out-of-Bounds Write

Title source: rule

Description

Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.

References (15)

[Exploit, Mailing List, Mitigation, Third Party Advisory] http://www.openwall.com/lists/oss-security/2019/09/28/1

[Exploit, Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2019/09/28/2

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2019/09/28/3

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2019/09/28/4

[Issue Tracking, Patch, Vendor Advisory] https://bugs.exim.org/show_bug.cgi?id=2449

[Patch] https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f

[Vendor Advisory] https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html

[Release Notes] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/

[Release Notes] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/

[Release Notes] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/Sep/60

[Third Party Advisory] https://security.gentoo.org/glsa/202003-47

[Third Party Advisory] https://usn.ubuntu.com/4141-1/

[Third Party Advisory] https://www.debian.org/security/2019/dsa-4536

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-16928

Scores

CVSS v3 9.8

EPSS 0.9002

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-03-03

VulnCheck KEV 2022-03-03

InTheWild.io 2020-06-03

ENISA EUVD EUVD-2019-7422

CWE

CWE-787

Status published

Products (6)

canonical/ubuntu_linux 19.04

debian/debian_linux 10.0

exim/exim 4.92 - 4.92.2

fedoraproject/fedora 29

fedoraproject/fedora 30

fedoraproject/fedora 31

Published Sep 27, 2019

KEV Added Mar 03, 2022

Tracked Since Feb 18, 2026