CVE-2022-37451

moderate-risk

Published 2022-08-06

Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc.

Do I need to act?

6.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Exim

Fedora

Fedoraproject Exim

Third Party Advisory https://cwe.mitre.org/data/definitions/762.html

Patch https://github.com/Exim/exim/commit/51be321b27825c01829dffd90f11bfff256f7e42

Release Notes https://github.com/Exim/exim/compare/exim-4.95...exim-4.96

Release Notes https://github.com/Exim/exim/wiki/EximSecurity

Exploit https://github.com/ivd38/exim_invalid_free

Mailing List https://lists.exim.org/lurker/message/20220625.141825.d6de6074.en.html

Vendor Advisory https://www.exim.org/static/doc/security/

Mailing List https://www.openwall.com/lists/oss-security/2022/08/06/1

Third Party Advisory https://cwe.mitre.org/data/definitions/762.html

Patch https://github.com/Exim/exim/commit/51be321b27825c01829dffd90f11bfff256f7e42

Release Notes https://github.com/Exim/exim/compare/exim-4.95...exim-4.96

Release Notes https://github.com/Exim/exim/wiki/EximSecurity

Exploit https://github.com/ivd38/exim_invalid_free

Mailing List https://lists.exim.org/lurker/message/20220625.141825.d6de6074.en.html

Vendor Advisory https://www.exim.org/static/doc/security/

Mailing List https://www.openwall.com/lists/oss-security/2022/08/06/1

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 9/34 · Low

Exposure 9/34 · Low