A critical vulnerability has been identified in Exim, an open-source Mail Transfer Agent (MTA) used primarily on Unix-like systems. This issue, tracked as CVE-2026-45185 and referred to as Dead.Letter, affects certain configurations that utilize GnuTLS, potentially allowing for memory corruption and code execution.
Details of the Vulnerability
The vulnerability arises from a use-after-free condition during the handling of BDAT message bodies when a TLS connection is managed by GnuTLS. According to Exim’s advisory, the issue is triggered when a client sends a TLS close_notify alert before the completion of the body transfer, followed by a final byte in cleartext on the same TCP connection. This sequence can lead to Exim writing into a memory buffer that has already been freed, resulting in heap corruption.
Affected Versions and Impact
All Exim versions from 4.97 to 4.99.2 are impacted, but only those builds configured with USE_GNUTLS=yes. Builds that utilize other TLS libraries, such as OpenSSL, are not affected. The vulnerability allows an attacker to establish a TLS connection and utilize the CHUNKING (BDAT) SMTP extension to exploit the flaw.
Discovery and Response
The flaw was discovered by Federico Kirschbaum, head of Security Lab at XBOW, on May 1, 2026. He noted that during the TLS shutdown process, Exim frees its TLS transfer buffer, but a nested BDAT receive wrapper can still process incoming bytes, which may lead to corruption of the allocator’s internal structure.
Mitigation and Recommendations
Exim has released a patch in version 4.99.3 to address this vulnerability. Users are strongly advised to upgrade to this version or later as there are currently no mitigations available that can effectively resolve the issue. The fix ensures that the input processing stack is reset appropriately when a TLS close notification is received during an active BDAT transfer, preventing the use of stale pointers.
This incident follows a history of similar vulnerabilities in Exim, including a notable use-after-free bug disclosed in 2017 (CVE-2017-16943), which also allowed for remote code execution via specially crafted BDAT commands.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
