Full Report
A newly revealed Exim BDAT vulnerability is affecting some email server setups that use Exim as their Mail Transfer Agent (MTA), prompting security attention due to its severity. Tracked as CVE-2026-45185 with a CVSS score of 9.8 and internally referred to as “Dead.Letter,” the issue is classified as a remote use-after-free vulnerability that can lead to memory corruption and potentially code execution under specific conditions involving GnuTLS. Exim, an open-source MTA (Mail Transfer Agent) widely used on Unix-like systems for receiving, routing, and delivering email, has released a security update addressing the flaw. The vulnerability primarily affects configurations where Exim is built with GnuTLS support enabled. Technical Overview of the Exim BDAT Vulnerability The Exim BDAT vulnerability (CVE-2026-45185) is rooted in how Exim handles BDAT (Binary Data) SMTP message transfers when TLS sessions are terminated unexpectedly. Specifically, the flaw occurs in the message body parsing logic when a TLS close_notify alert is received before a BDAT transfer completes. In this scenario, the use-after-free vulnerability emerges when Exim continues processing incoming data after the TLS session teardown has already freed internal memory buffers. If a client then sends an additional byte in cleartext over the same TCP connection, Exim may attempt to write into already freed heap memory. This leads to memory corruption, which can be leveraged in certain circumstances to achieve code execution. Exim maintainers summarized the triggering sequence as follows: the vulnerability appears when a TLS session is closed via close_notify during an active BDAT transfer, followed by continued data transmission on the same connection. This unexpected state transition allows the Exim BDAT vulnerability to surface in affected builds. Affected Configurations and Scope of CVE-2026-45185 The vulnerability affects Exim versions 4.97 through 4.99.2, but only when compiled with USE_GNUTLS=yes. Systems built with other TLS backends, such as OpenSSL, are not impacted. Key affected conditions include: Exim versions 4.97 to 4.99.2 Builds using GnuTLS SMTP sessions utilizing the CHUNKING (BDAT) extension TLS connections interrupted by close_notify during BDAT processing Because the flaw resides in a use-after-free vulnerability, exploitation depends on precise timing and protocol manipulation, but it remains classified as remotely triggerable over network connections. Security Advisory Timeline for the Exim BDAT Vulnerability The coordinated disclosure process for CVE-2026-45185 followed a structured timeline beginning in early May 2026: 2026-05-01 17:29 UTC: Initial report submitted by Federico Kirschbaum (XBOW Security) 2026-05-04 20:00 UTC: Follow-up requesting status of the report 2026-05-05 ~02:53 UTC: Exim maintainers acknowledged the issue and confirmed a private fix was underway 2026-05-07 14:14 UTC: Disclosure coordination discussion initiated by reporter 2026-05-07 22:00 UTC: Notification sent to distribution maintainers via distros@openwall 2026-05-10 20:00 UTC: Restricted fix access shared with distributors 2026-05-12 14:00 UTC: Public advisory and patch release The official advisory, EXIM-Security-2026-05-01.1, confirmed the issue as a remote use-after-free (UAF) class vulnerability and noted that the final CVE assignment was pending at the time of release. Impact of the Exim BDAT Vulnerability on Mail Transfer Systems Because Exim functions as a widely deployed MTA, the Exim BDAT vulnerability has potential implications for mail infrastructure that relies on GnuTLS-backed TLS sessions. The flaw is particularly relevant in environments where SMTP CHUNKING (BDAT) is enabled, as it directly interacts with message body transfer behavior. The vulnerability is considered severe due to its memory corruption potential. The CVSS rating of 9.8 reflects the possibility that a successful exploit could escalate into code execution, depending on system conditions and memory layout. The issue was resolved in Exim version 4.99.3, which introduces corrected handling of TLS session teardown during BDAT transfers. The fix ensures that internal processing states are properly reset when a close_notify alert is received, preventing stale memory references and eliminating the use-after-free vulnerability condition. According to the advisory, there is no known mitigation other than upgrading. Administrators running affected versions are strongly advised to move to Exim 4.99.3 or later as soon as possible.
Analysis Summary
# Vulnerability: Exim "Dead.Letter" Remote Use-After-Free
## CVE Details
- **CVE ID:** CVE-2026-45185
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-416 (Use After Free)
## Affected Systems
- **Products:** Exim Mail Transfer Agent (MTA)
- **Versions:** 4.97 through 4.99.2
- **Configurations:** Systems compiled with GnuTLS support (`USE_GNUTLS=yes`) and utilizing the `CHUNKING` (BDAT) SMTP extension. Systems using OpenSSL are not affected.
## Vulnerability Description
The flaw, internally dubbed "Dead.Letter," exists in Exim's message body parsing logic during BDAT (Binary Data) transfers. When a TLS session is terminated via a `close_notify` alert while a BDAT transfer is still active, Exim fails to properly reset its internal processing state.
If the client continues to send data (even a single byte in cleartext) over the same TCP connection after the TLS teardown, Exim attempts to write that data into memory buffers that have already been freed. This results in memory corruption within the heap.
## Exploitation
- **Status:** Coordinated disclosure; no documented "in-the-wild" exploitation reported at time of advisory.
- **Complexity:** Medium (Requires precise protocol timing and manipulation of TLS/SMTP session states).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Potential for unauthorized data access via code execution).
- **Integrity:** High (Memory corruption can lead to arbitrary code execution).
- **Availability:** High (Can lead to service crashes or system takeover).
## Remediation
### Patches
- **Exim 4.99.3:** This version addresses the flaw by ensuring internal states are correctly reset upon receiving a TLS `close_notify` during BDAT transfers.
### Workarounds
- There are no known software mitigations or configuration workarounds. Administrators must upgrade the Exim binary to version 4.99.3 or later.
## Detection
- **Indicators of Compromise:** Unusual SMTP session behavior where TLS connections are closed followed by immediate cleartext data transmission on the same socket.
- **Detection Methods:** Monitor mail logs for unexpected TLS session teardowns during large BDAT transfers. Vulnerability scanners should check Exim version strings and build configurations for GnuTLS.
## References
- **Vendor Advisory:** EXIM-Security-2026-05-01.1
- **Exim Main Site:** hxxps[://]www[.]exim[.]org/
- **Security Report:** hxxps[://]thecyberexpress[.]com/exim-bdat-vulnerability-cve-2026-45185/