A newly uncovered critical vulnerability in the Exim mail server software permits remote attackers to execute arbitrary code, posing a severe risk to affected systems.
Identified by Federico Kirschbaum of XBOW’s Security Lab, the flaw, termed Dead.Letter, has drawn significant attention due to its high CVSS score of 9.8, indicating an urgent need for remediation.
Organizations using Exim must act promptly, as the exploit requires no special configurations and can be executed without user interaction.
Exim Remote Code Execution Issue
The vulnerability is rooted in a use-after-free memory corruption issue, tracked as CVE-2026-45185. This flaw emerges during the parsing of binary data by the GnuTLS library in TLS connections.
Security advisories from Exim and CyCognito explain that attackers can manipulate connection sequences, causing the mail server to write to an already freed memory buffer.
By sending a TLS close alert followed by a cleartext byte on the same connection, attackers can disrupt the memory allocation process, allowing for privilege escalation and remote code execution.
Impact on Exim Deployments
This vulnerability specifically impacts Exim versions 4.97 to 4.99.2 compiled with GnuTLS. Versions using other libraries, like OpenSSL, are not affected.
The threat is mainly concentrated on systems running Debian, Ubuntu, and related distributions, while platforms such as Red Hat Enterprise Linux are generally unaffected.
The critical nature of this flaw demands immediate attention, as it cannot be mitigated through simple configuration adjustments.
Mitigation and Recommendations
The Exim development team has addressed the issue in version 4.99.3. Security experts universally recommend upgrading to this version to safeguard systems.
Due to the lack of alternative remedies, patching is the only reliable solution to prevent exploitation of this vulnerability.
System administrators are urged to prioritize these updates to ensure the security and integrity of their mail servers.
Stay informed on the latest cybersecurity news by following us on Google News, LinkedIn, and X.
