# CVE 2025-26794

- Sat, 08 Feb 2025 21:14:37 +0100: reported
  - by: "Oscar Bataille" <batailleoscar@protonmail.com>
  - to: security@exim.org
- Sun, 9 Feb 2025 00:00:05 +0100: report confirmed
- Tue, 11 Feb 2025 00:23:34 +0100: issue confirmed
- Tue, 11 Feb 2025 00:23:34 +0100: issue confirmed
- Tue, 11 Feb 2025 12:54:10 +0000: CVE ID requested
- Fri, 14 Feb 2025 04:19:13 -0500: CVE ID 2025-26794 received
- Tue, 18 Feb 2025 20:56:25 +0100: sent notification to <distros@vs.openwall.org>
- Wed, 19 Feb 2025 23:07:02 +0100: sent notification to <oss-security@lists.openwall.com>, and <exim-users@lists.exim.org>
- Wed, 19 Feb 2025 23:07:02 +0100: sent notification to <oss-security@lists.openwall.com>, and <exim-users@lists.exim.org>
- Thu, 20 Feb 2025 18:36:34 +0100: sent notification to <exim-announce@lists.exim.org>
- Fri, 21 Feb 2025 13:00:00 +0100: published the changes on https://code.exim.org/exim/exim.git


## Details

A SQL injection is possible.

The following conditions have to be met for being vulnerable:

- Exim Version 4.98
- Build time option _USE_SQLITE_ is set (it enables the use of SQLite
  for the hints databases) -- check the output of `exim -bV`, whether it
  contains
  ```
  Hints DB:
    Using sqlite3
  ```
- Runtime config enables ETRN (`acl_smtp_etrn` returns _accept_
  (defaults to _deny_))
- Runtime config enforces ETRN serialization (`smtp_etrn_serialize` is
  set to _true_ (defaults to _true_))

## Acknowledgements

Thanks to Oscar Bataille for discovering and reporting this issue in a
responsible manner.