Exim has released a security update to address a critical security issue affecting certain configurations that could lead to memory corruption and potential code execution.
Exim is an open source mail transfer agent (MTA) designed to enable Unix-like systems to receive, route, and deliver email.
The vulnerability is tracked as CVE-2026-45185 (also known as Dead.Letter) and is described as a use-after-free vulnerability in Exim’s Binary Data Transmission (BDAT) message body parsing when TLS connections are handled by GnuTLS.
“The vulnerability is triggered when, while processing a BDAT message body, the client sends a TLS close_notify alert before the body transfer is complete and then follows up with a final byte of clear text on the same TCP connection,” Exim said in an advisory published today.
“This sequence of events allows Exim to write to memory buffers that have already been freed during TLS session teardown, potentially leading to heap corruption. The attacker only needs to be able to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension.”
This issue affects all Exim versions from 4.97 to 4.99.2. However, only builds with USE_GNUTLS=yes are affected. This means builds that rely on other TLS libraries such as OpenSSL are not affected.
Federico Kirschbaum, Head of Security Lab at XBOW, an autonomous cybersecurity testing platform, is credited with discovering and reporting the flaw on May 1, 2026.
“During TLS shutdown, Exim frees the TLS transfer buffer, but the nested BDAT receive wrapper can still process the received bytes and eventually calls ungetc() and writes a single character (\n) into the freed space,” Kirschbaum said. “That one-byte write reaches Exim’s allocator metadata and corrupts the allocator’s internal shape. The exploit then uses that corruption to obtain more primitives.”
XBOW described the vulnerability as “one of the highest-level bugs” ever discovered in Exim, adding that little special configuration is required on the server to trigger the vulnerability.
This shortcoming has been resolved in version 4.99.3. We encourage all users to upgrade as soon as possible. There are no mitigations available to resolve this vulnerability.
“This fix ensures that the input processing stack is reset when a TLS close notification is received during an active BDAT transfer, preventing stale pointers from being used,” Exim said.
This is not the first time a serious use-after-free bug in Exim has been disclosed. In late 2017, Exim patched a use-after-free vulnerability in the SMTP daemon (CVE-2017-16943, CVSS score: 9.8). Successful exploitation by an unauthenticated attacker could lead to remote code execution and gain control of the email server via a specially crafted BDAT command.
Source link
