CVE-2025-26794: 
Exim vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in Exim version 4.98, identified as CVE-2025-26794. The vulnerability was reported by Oscar Bataille on February 8, 2025, and affects installations where SQLite hints and ETRN serialization are used. The issue was confirmed and patched with the release of Exim 4.98.1 on February 21, 2025 (Exim Security, Exim Org).

The vulnerability is a SQL injection that occurs when specific conditions are met: the system must be running Exim version 4.98, have the USESQLITE build-time option enabled for hints databases, have ETRN enabled in the runtime configuration (aclsmtpetrn set to accept), and ETRN serialization must be enforced (smtpetrn_serialize set to true, which is the default setting). The vulnerability can be identified by checking the output of 'exim -bV' for 'Hints DB: Using sqlite3' (CVE Details). The CVSS v3.1 base score for this vulnerability is 7.5 HIGH with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability allows remote SQL injection attacks when the specific configuration conditions are met. However, it's worth noting that many systems are not affected by default, as Ubuntu systems use BerkeleyDB instead of SQLite, making them immune to this vulnerability (Ubuntu Security).

The primary mitigation is to upgrade to Exim version 4.98.1, which contains the fix for this vulnerability. The fix was released on February 21, 2025, and is available through official channels and package managers. For systems that cannot immediately upgrade, ensuring that ETRN is disabled (which is the default setting) can serve as a temporary mitigation (Exim Org, OSS Security).

The vulnerability was handled through a coordinated disclosure process, with distribution packagers being informed ahead of the public announcement. Various Linux distributions and BSD systems quickly responded with updates, as evidenced by rapid patch implementations in NixOS and OpenBSD ports (NixOS PR, OpenBSD Ports).