Exim, a predominant mail transfer agent on the internet, has been identified with a severe vulnerability. Known as EXIM-Security-2026-05-01.1, this flaw allows remote attackers to manipulate server memory and execute arbitrary code without any credentials or special privileges.
Background and Discovery
The vulnerability was publicly revealed on May 12, 2026, after a responsible disclosure process that initiated earlier in the month. It resides in the GnuTLS backend of Exim, which is responsible for handling encrypted email communications over TLS. The issue arises when a client employs the BDAT command within the SMTP protocol to send large emails in segments.
If an attacker issues a TLS close_notify alert before concluding the body transfer, followed by a single byte in plain text on the same TCP connection, it pushes the server into a precarious state.
Technical Details and Impact
Heiko Schlittermann and the Exim team confirmed the vulnerability after receiving a report from Federico Kirschbaum of XBOW Security on May 1, 2026. They rapidly developed a fix and provided early access to patches for distributors before the public announcement on May 12.
This flaw is particularly alarming due to its minimal requirements for exploitation. Attackers need only the capability to open a TLS connection to an Exim server and utilize the BDAT extension, both of which are standard functionalities in modern email systems.
Vulnerability Scope and Mitigation
Exim is widely used on Linux-based servers across the internet, making this flaw significant. It affects Exim versions 4.97 through 4.99.2 compiled with GnuTLS support, encompassing a substantial number of active mail servers.
The vulnerability is a use-after-free issue, a type of memory error where a program continues to use memory that has been deallocated. When Exim receives a TLS close_notify alert during an active BDAT session, the TLS session teardown leaves behind unsafe memory pointers. Sending a single byte in cleartext afterward causes the server to use a pointer to freed memory, corrupting the heap and potentially allowing code execution.
Only Exim builds compiled with the USE_GNUTLS=yes flag are affected, sparing servers using OpenSSL or other TLS libraries from this specific threat.
Recommended Actions
On May 12, 2026, Exim’s team released version 4.99.3, which addresses the vulnerability by resetting the input processing stack upon receiving a TLS close notification during a BDAT transfer. This update is crucial for cutting off the chain of events leading to memory corruption.
Administrators using Exim versions 4.97 to 4.99.2 with GnuTLS should prioritize upgrading to the latest release immediately, as there are no workarounds or configuration changes that can mitigate the risk. The patched version is available through Exim’s official FTP server and code repository.
Stay updated with the latest news by following us on Google News, LinkedIn, and X, and set CSN as a preferred source in Google.
