Exim, an open-source Mail Transfer Agent (MTA) for Unix-like systems, has issued security patches addressing a critical vulnerability that could lead to memory corruption and potential code execution. The flaw, identified as CVE-2026-45185, affects Exim versions 4.97 to 4.99.2 when configured with GnuTLS.
Understanding the Vulnerability
The vulnerability, named Dead.Letter, is a use-after-free issue in Exim’s handling of binary data transmission (BDAT) message bodies during TLS sessions managed by GnuTLS. This flaw is triggered when a client sends a TLS close_notify alert prior to completing the body transfer, followed by a final byte in cleartext on the same connection.
Such a sequence can result in Exim writing to a memory buffer that has already been released, leading to heap corruption. Attackers exploiting this weakness merely need to establish a TLS connection using the CHUNKING (BDAT) SMTP extension.
Affected Versions and Discovery
This vulnerability impacts all Exim builds from version 4.97 up to 4.99.2, specifically those using the USE_GNUTLS=yes configuration. Builds using other TLS libraries like OpenSSL remain unaffected.
Federico Kirschbaum from XBOW, a cybersecurity testing platform, discovered and reported the issue on May 1, 2026. Kirschbaum noted that during TLS shutdown, Exim releases its TLS transfer buffer, yet a nested BDAT receive wrapper might still process incoming bytes, leading to buffer corruption.
Mitigation and Future Outlook
Exim has addressed this vulnerability in its latest release, version 4.99.3, advising all users to update immediately as no mitigations exist to resolve the issue. The update ensures the input processing stack is reset when a TLS close notification is received during BDAT transfers, preventing the use of obsolete pointers.
This is not the first time Exim has encountered critical use-after-free vulnerabilities. In 2017, a similar flaw was patched that could have allowed attackers to execute remote code through crafted BDAT commands. Such incidents highlight the ongoing need for vigilance and timely updates in software security.
As this vulnerability underscores the potential risks in email server configurations, organizations are urged to prioritize the updating of their Exim installations to safeguard against exploitation.
