A newly revealed Exim BDAT vulnerability is affecting some email server setups that use Exim as their Mail Transfer Agent (MTA), prompting security attention due to its severity. Tracked as CVE-2026-45185 with a CVSS score of 9.8 and internally referred to as “Dead.Letter,” the issue is classified as a remote use-after-free vulnerability that can lead to memory corruption and potentially code execution under specific conditions involving GnuTLS.
Exim, an open-source MTA (Mail Transfer Agent) widely used on Unix-like systems for receiving, routing, and delivering email, has released a security update addressing the flaw. The vulnerability primarily affects configurations where Exim is built with GnuTLS support enabled.
Technical Overview of the Exim BDAT Vulnerability
The Exim BDAT vulnerability (CVE-2026-45185) is rooted in how Exim handles BDAT (Binary Data) SMTP message transfers when TLS sessions are terminated unexpectedly. Specifically, the flaw occurs in the message body parsing logic when a TLS close_notify alert is received before a BDAT transfer completes.
In this scenario, the use-after-free vulnerability emerges when Exim continues processing incoming data after the TLS session teardown has already freed internal memory buffers. If a client then sends an additional byte in cleartext over the same TCP connection, Exim may attempt to write into already freed heap memory. This leads to memory corruption, which can be leveraged in certain circumstances to achieve code execution.
Exim maintainers summarized the triggering sequence as follows: the vulnerability appears when a TLS session is closed via close_notify during an active BDAT transfer, followed by continued data transmission on the same connection. This unexpected state transition allows the Exim BDAT vulnerability to surface in affected builds.
Affected Configurations and Scope of CVE-2026-45185
The vulnerability affects Exim versions 4.97 through 4.99.2, but only when compiled with USE_GNUTLS=yes. Systems built with other TLS backends, such as OpenSSL, are not impacted.
Key affected conditions include:
- Exim versions 4.97 to 4.99.2
- Builds using GnuTLS
- SMTP sessions utilizing the CHUNKING (BDAT) extension
- TLS connections interrupted by close_notify during BDAT processing
Because the flaw resides in a use-after-free vulnerability, exploitation depends on precise timing and protocol manipulation, but it remains classified as remotely triggerable over network connections.
Security Advisory Timeline for the Exim BDAT Vulnerability
The coordinated disclosure process for CVE-2026-45185 followed a structured timeline beginning in early May 2026:
- 2026-05-01 17:29 UTC: Initial report submitted by Federico Kirschbaum (XBOW Security)
- 2026-05-04 20:00 UTC: Follow-up requesting status of the report
- 2026-05-05 ~02:53 UTC: Exim maintainers acknowledged the issue and confirmed a private fix was underway
- 2026-05-07 14:14 UTC: Disclosure coordination discussion initiated by reporter
- 2026-05-07 22:00 UTC: Notification sent to distribution maintainers via distros@openwall
- 2026-05-10 20:00 UTC: Restricted fix access shared with distributors
- 2026-05-12 14:00 UTC: Public advisory and patch release
The official advisory, EXIM-Security-2026-05-01.1, confirmed the issue as a remote use-after-free (UAF) class vulnerability and noted that the final CVE assignment was pending at the time of release.
Impact of the Exim BDAT Vulnerability on Mail Transfer Systems
Because Exim functions as a widely deployed MTA, the Exim BDAT vulnerability has potential implications for mail infrastructure that relies on GnuTLS-backed TLS sessions. The flaw is particularly relevant in environments where SMTP CHUNKING (BDAT) is enabled, as it directly interacts with message body transfer behavior.
The vulnerability is considered severe due to its memory corruption potential. The CVSS rating of 9.8 reflects the possibility that a successful exploit could escalate into code execution, depending on system conditions and memory layout.
The issue was resolved in Exim version 4.99.3, which introduces corrected handling of TLS session teardown during BDAT transfers. The fix ensures that internal processing states are properly reset when a close_notify alert is received, preventing stale memory references and eliminating the use-after-free vulnerability condition.
According to the advisory, there is no known mitigation other than upgrading. Administrators running affected versions are strongly advised to move to Exim 4.99.3 or later as soon as possible.
