A corrective release of the mail server Exim 4.98.1 has been issued to address a vulnerability (CVE-2025-26794) that allowed for the substitution of SQL code into the internal database used to store delivery message information.
The vulnerability specifically affects EXIM 4.98 when compiled with the “_use_sqlite_” option, which utilizes the SQLite DBMS for storing the Hints DB. The vulnerability exploits the inclusion of the ETRN SMTP command and the use of ETRN serialization to inject malicious SQL code into the database. To check if the option is enabled, the command “EXIM -BV” should display “Hints DB: Using SQLite3” and the settings “ACL_SMTP_etRN” and “SMTP_etrn_Serialize” should be configured accordingly.
/Reports, release notes, official announcements.