CLSA-2026-1778003565

See a problem?
Import Source
https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778003565.json
JSON Data
https://api.osv.dev/v1/vulns/CLSA-2026-1778003565
Upstream
  • CVE-2026-40684
  • CVE-2026-40685
  • CVE-2026-40687
Published
2026-05-05T17:52:50Z
Modified
2026-06-04T09:47:38.300963951Z
Summary
Fix CVE(s): CVE-2026-40684, CVE-2026-40685, CVE-2026-40687
Details
  • SECURITY UPDATE: out-of-bounds read in DNS reverse-lookup escape decoding when running against musl libc
    • debian/patches/CVE-2026-40684.patch: harden stringcopydnsdomain() to consume 1, 2, or 3 digits incrementally instead of indexing past the input string when fewer than 3 digits follow a backslash escape
    • CVE-2026-40684
  • SECURITY UPDATE: out-of-bounds heap write in JSON dewrap on malformed header value ending in a trailing backslash
    • debian/patches/CVE-2026-40685.patch: only skip a backslash in dewrap() when followed by a non-NUL character
    • CVE-2026-40685
  • SECURITY UPDATE: SPA authenticator out-of-bounds write and uninitialised-heap information disclosure
    • debian/patches/CVE-2026-40687.patch: zero the spabase64to_bits() output buffer to plug the infoleak; replace assert()-based length guards in unicodeToString(), strToUnicode(), and toString() with explicit length clamping to prevent OOB writes
    • CVE-2026-40687
References

Affected packages

TuxCare:Ubuntu:20.04
exim4

Package

Name
exim4
Purl
pkg:deb/tuxcare/exim4?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.93-13ubuntu1.12+tuxcare.els1

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778003565.json"
exim4-base

Package

Name
exim4-base
Purl
pkg:deb/tuxcare/exim4-base?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.93-13ubuntu1.12+tuxcare.els1

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778003565.json"
exim4-config

Package

Name
exim4-config
Purl
pkg:deb/tuxcare/exim4-config?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.93-13ubuntu1.12+tuxcare.els1

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778003565.json"
exim4-daemon-heavy

Package

Name
exim4-daemon-heavy
Purl
pkg:deb/tuxcare/exim4-daemon-heavy?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.93-13ubuntu1.12+tuxcare.els1

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778003565.json"
exim4-daemon-light

Package

Name
exim4-daemon-light
Purl
pkg:deb/tuxcare/exim4-daemon-light?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.93-13ubuntu1.12+tuxcare.els1

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778003565.json"
exim4-dev

Package

Name
exim4-dev
Purl
pkg:deb/tuxcare/exim4-dev?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.93-13ubuntu1.12+tuxcare.els1

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778003565.json"
eximon4

Package

Name
eximon4
Purl
pkg:deb/tuxcare/eximon4?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.93-13ubuntu1.12+tuxcare.els1

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778003565.json"