New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
New Exim BDAT Vulnerability 🚨
Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution. The vulnerability, tracked as CVE-2026-45185, also known as Dead.Letter, has been described as a use-after-free vulnerability in Exim’s binary data transmission (BDAT) message body parsing when a TLS connection is handled by GnuTLS. XBOW described the vulnerability as “one of the highest-caliber bugs” discovered in Exim to date, adding that triggering it requires almost no special configuration on the server.
According to an advisory released today by Exim, “The vulnerability is triggered during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, and then follows up with a final byte in cleartext on the same TCP connection.” This sequence of events can cause Exim to write into a memory buffer that has already been freed during the TLS session teardown, leading to heap corruption. An attacker only needs to be able to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension. The issue impacts all Exim versions from 4.97 up to and including 4.99.2, but only affects builds that use USE_GNUTLS=yes.
Federico Kirschbaum, head of Security Lab at XBOW, has been credited with discovering and reporting the flaw on May 1, 2026. Kirschbaum explained, “During TLS shutdown, Exim frees its TLS transfer buffer - but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (\n) into the freed region. That one-byte write lands on Exim’s allocator metadata, corrupting the allocator’s internal shape; the exploit then leverages that corruption to gain further primitives.” The shortcoming has been addressed in version 4.99.3, and all users are advised to upgrade as soon as possible. There are no mitigations that resolve the vulnerability. Exim noted that “The fix ensures that the input processing stack is cleanly reset when a TLS close notification is received during an active BDAT transfer, preventing the stale pointers from being used.”
This is not the first time critical use-after-free bugs in Exim have been disclosed. In late 2017, Exim patched a use-after-free vulnerability in the SMTP daemon (CVE-2017-16943, CVSS score: 9.8) that unauthenticated attackers could have exploited to achieve remote code execution via specially crafted BDAT commands and seize control of the email server.
For more details, Read full article