CVE-2022-37451: 
Exim vulnerability analysis and mitigation

CVE-2022-37451 affects Exim versions before 4.96, where an invalid free vulnerability exists in the pamconverse function within auths/callpam.c due to improper memory management - specifically, storefree is not used after storemalloc. The vulnerability was discovered in June 2022 and fixed with the release of Exim 4.96 (Exim Release, NVD).

The vulnerability stems from a memory management mismatch in the PAM authentication code where the wrong deallocation function is used after memory allocation. Specifically, in auths/callpam.c, memory allocated using storemalloc is not properly freed using the corresponding store_free function. The issue has a CVSS v3.1 Base Score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The improper memory management can lead to memory corruption issues, potentially resulting in denial of service conditions through application crashes. The vulnerability affects the availability of the system but does not directly impact confidentiality or integrity (NVD).

The primary mitigation is to upgrade to Exim version 4.96 or later, which fixes the vulnerability by correctly using the appropriate memory management functions. The fix was implemented through a code change that properly uses strdup instead of stringcopymalloc for memory allocation (Exim Patch).

The vulnerability was initially reported and silently fixed in Exim 4.96. The security community acknowledged the issue through various security advisories, including Fedora's security updates for their affected versions (Fedora Advisory).