CVE-2025-30232: 
Exim vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in Exim mail server versions 4.96 through 4.98.1. The vulnerability was reported by Trend Micro on March 13, 2025, and was assigned CVE-2025-30232 on March 19, 2025. The vulnerability affects systems running specific versions of Exim with command-line access enabled (Exim Security).

The vulnerability is classified as a use-after-free (CWE-416) issue that could lead to privilege escalation. According to the CVSS 3.1 scoring, it received a base score of 8.1 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. This indicates that while local access is required, the vulnerability requires no privileges or user interaction to exploit, and can result in high impacts to confidentiality, integrity, and availability (NVD).

The vulnerability could allow users with command-line access to escalate privileges on affected systems. This poses a significant security risk as it could potentially allow attackers to gain elevated access to the system (MITRE CVE).

The vulnerability has been fixed in various distributions. Ubuntu has released fixes in versions 4.98-1ubuntu2.1 for 24.10 and 4.97-4ubuntu4.3 for 24.04 LTS. Debian has addressed the issue with version 4.96-15+deb12u7 for bookworm and 4.98.2-1 for sid and trixie. Systems running versions prior to 4.96 are not affected by this vulnerability (Ubuntu Security).

The vulnerability was responsibly disclosed by Trend Micro (ZDI-CAN-26250). The Exim project coordinated with distribution maintainers, providing early access to security fixes before public disclosure. A coordinated release timeline was followed, with distribution notifications on March 19, 2025, and public disclosure on March 26, 2025 (OSS Security).