We have a new documentation site for cPanel & WHM! You can find our new documentation site at docs.cpanel.net.

We will continue to maintain our API documentation on this server.

Page tree
Skip to end of metadata
Go to start of metadata


Background Information 

On Thursday, September 26, 2019, the Exim maintainers received a bug report about a heap overflow in Exim.

On Friday, September 27, 2019, the Exim maintainers released a patch.

We will continue to update this page as more information becomes available.


From the Exim Developers:

There is a heap-based buffer overflow in string_vformat (string.c).
The currently known exploit uses a extraordinary long EHLO string to
crash the Exim process that is receiving the message. While at this
mode of operation Exim already dropped its privileges, other paths to
reach the vulnerable code may exist.


The following versions of cPanel & WHM were patched to have the correct version of Exim.

All previous versions of cPanel & WHM below the stated versions are potentially vulnerable. 


How to determine if your server is up to date

The updated RPMs provided by cPanel should be at least 4.92-4 on version 82 as well as the EDGE tier, and 4.92-6 on LTS version 78.

rpm -q exim

Expected response on version 82 and the EDGE tier:


Expected response on LTS version 78:


What to do if you are not up to date.

If your server is not running one of the above versions, update immediately. 

To upgrade your server, use WHM's interface (WHM >> Home >> cPanel >> Upgrade to Latest Version).

Alternatively, you can run the commands below to upgrade your server from the command line:

/scripts/check_cpanel_rpms --fix --long-list

Verify the new Exim RPM was installed:

 Run the following:

rpm -q exim

The output on version 82 and the EDGE tier should resemble below:


The output on LTS version 78 should resemble below:


Run the following to ensure the CVE is in the changelog:

rpm -q --changelog exim | grep CVE-2019-16928

The output on LTS version 78, version 82, and the EDGE tier should resemble below:

- Fix buffer overflow in string_vformat.  CVE-2019-16928

If you are still experiencing issues or need additional help, please contact 
cPanel support.

Additional documentation

More detailed information can be found at the following websites:



There is no content with the specified labels

Error rendering macro 'contentbylabel'

parameters should not be empty

There is no content with the specified labels

  • No labels