CVE-2025-67896
Publication date 14 December 2025
Last updated 22 December 2025
Ubuntu priority
Description
Exim before 4.99.1 allows remote heap corruption that will be further described on 2025-12-18.
Read the notes from the security team
Why is this CVE high priority?
This is a remote code execution vulnerability
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| exim4 | 25.10 questing |
Not affected
|
| 25.04 plucky |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Notes
mdeslaur
per upstream, 4.98.1 is not affected. Only an issue when build time config enables SQLITE3 for hint dbs. In Ubuntu, BerkeleyDB is used in questing and earlier, so only Resolute is vulnerable.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.0 · High
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | High |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L |