Exim has released security updates to address a serious security issue affecting certain configurations that could enable memory corruption and possible code execution.
Exim is an open-source mail transfer agent (MTA) designed for Unix-like systems to receive, route, and deliver email.
The vulnerability, tracked as CVE-2026-45185, aka dead.letter, is described as a use-after-free vulnerability in Exim’s Binary Data Transmission (BDAT) message body parsing when the TLS connection is handled by GnuTLS.
“The vulnerability begins during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, and then sends the last byte in cleartext over the same TCP connection,” Exim said in an advisory issued today.
“This sequence of events could cause Exim to write to a memory buffer that has already been freed during the TLS session break, leading to heap corruption. An attacker would only need to be able to establish a TLS connection and use the Chunking (BDAT) SMTP extension.”
This issue affects all Exim versions from 4.97 up to and including 4.99.2. As stated, this only affects builds that use USE_GNUTLS=yes, meaning builds that rely on other TLS libraries like OpenSSL are not affected.
Federico Kirschbaum, head of the security lab at XBOW, an autonomous cybersecurity testing platform, is credited with discovering and reporting the flaw on May 1, 2026.
“During TLS shutdown, Exim frees its TLS transfer buffer – but a nested BDAT receive wrapper can still process incoming bytes and call ungetc(), which writes a single character (\n) to the free field,” Kirschbaum said. “That one-byte write lands on Exim’s allocator metadata, thereby corrupting the internal size of the allocator; then the exploit takes advantage of that corruption to get more primitives.”
XBOW described this vulnerability as “one of the highest-caliber bugs” discovered in Exim to date, and stated that it requires almost no special configuration on the server to trigger.
The flaw has been addressed in version 4.99.3. All users are advised to upgrade as soon as possible. There are no workarounds that resolve the vulnerability.
“The fix ensures that the input processing stack is cleanly reset when a TLS shutdown is reported during an active BDAT transfer, preventing the use of stale pointers,” Exim said.
This is not the first time that use-after-free bugs have been revealed in Exim. In late 2017, Exim patched a use-after-free vulnerability in the SMTP daemon (CVE-2017-16943, CVSS score: 9.8), which unauthenticated attackers could use to achieve remote code execution and gain control of email servers via specially crafted BDAT commands.
