New critical Exim mailer flaw allows remote code execution
Source: Bleeping Computer
Overview
A critical vulnerability affecting certain configurations of the Exim open‑source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code.
Identified as CVE‑2026‑45185, the issue impacts Exim versions before 4.99.3 that use the default GNU Transport Layer Security (GnuTLS) library for secure communication. It is a user‑after‑free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic. Exim frees a TLS transfer buffer but later continues using stale callback references that can write data into the freed memory region, leading to remote code execution (RCE).
Exim is a widely deployed open‑source mail transfer agent (MTA) used to send, receive, and route email on Linux and Unix servers. It is common in shared‑hosting environments, enterprise mail systems, and Debian‑ and Ubuntu‑based distributions, where it has historically been the default mail server.
Discovery and Impact
CVE‑2026‑45185 was discovered and reported by XBOW researcher Federico Kirschbaum. It affects Exim versions 4.97 through 4.99.2 on builds compiled with GnuTLS that have STARTTLS and CHUNKING advertised. Builds compiled with OpenSSL are not affected.
Exploiting the vulnerability allows an attacker to execute commands on the server, access Exim data and emails, and potentially pivot further into the environment depending on server permissions and configuration.
XBOW reported the vulnerability to the Exim maintainers on May 1st and received an acknowledgment on May 5th. Impacted Linux distributions were notified three days later.
A fix was released in Exim 4.99.3 (announcement).
Mitigation
Users of Ubuntu and Debian‑based Linux distributions should apply the available Exim updates (v4.99.3) through their package managers as soon as possible.
AI‑assisted Exploit Build
XBOW reports that creating the proof‑of‑concept (PoC) exploit was a seven‑day challenge between the company’s autonomous AI‑driven development system, XBOW Native, and a human researcher assisted by a large language model.
- XBOW Native successfully produced a working exploit for a simplified target Exim server that had no Address Space Layout Randomization (ASLR) and a non‑PIE binary.
- In a second attempt, the LLM achieved an exploit on a machine with ASLR, but still a non‑PIE binary.
”[…] instead of continuing to attack glibc’s allocator with off‑the‑shelf mechanisms, XBOW Native had taken on Exim’s own allocator,” — XBOW researchers.
Despite the surprising result, the human researcher won the race, with assistance from the LLM for tasks such as assembling files and testing exploitation avenues.
The researcher noted:
“Honestly, I don’t think LLMs alone are quite ready to write exploits against real‑world software yet. After this experience, I think it can solve something CTF‑shaped, but I don’t see them reaching the level of real production targets just yet.”
Nevertheless, the researcher acknowledged the crucial role of AI tools in helping humans understand unfamiliar code and investigate suspicious areas much faster than without them.