OpenSMTPD has been found vulnerable to yet another critical vulnerability that could allow remote attackers to take complete control over email servers running BSD or Linux operating systems. The latest out-of-bounds read issue resides in a component of client-side code that was introduced nearly 5 years ago. The flaw can be exploited by a local or remote attacker in two ways by sending specially crafted SMTP messages, one works in the default configuration, and the second leverages email bounce mechanism. If the “mbox” method is used for local delivery, then arbitrary command execution as root is still possible.
Source: https://thehackernews.com/2020/02/opensmtpd-email-vulnerability.html