New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution

Source: The Hacker News

Overview

Exim is an open‑source Mail Transfer Agent (MTA) for Unix‑like systems.
The vulnerability, tracked as CVE‑2026‑45185 (also known as Dead.Letter), is a use‑after‑free bug in Exim’s binary data transmission (BDAT) message‑body parsing when a TLS connection is handled by GnuTLS.

“The vulnerability is triggered during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, and then follows up with a final byte in cleartext on the same TCP connection,” – Exim advisory¹.

Technical Details

The sequence of events can cause Exim to write into a memory buffer that has already been freed during TLS session teardown, leading to heap corruption. An attacker only needs to:

1. Establish a TLS connection to the server.
2. Use the CHUNKING (BDAT) SMTP extension.
3. Send a close_notify alert before the BDAT transfer completes.
4. Follow with a final cleartext byte on the same TCP connection.

Federico Kirschbaum, head of Security Lab at XBOW, discovered and reported the flaw on May 1 2026. He explained:

“During TLS shutdown, Exim frees its TLS transfer buffer – but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (\n) into the freed region. That one‑byte write lands on Exim’s allocator metadata, corrupting the allocator’s internal shape; the exploit then leverages that corruption to gain further primitives.”²

Impact

• Affects all Exim versions 4.97 up to and including 4.99.2.
• Only impacts builds compiled with USE_GNUTLS=yes. Builds using other TLS libraries (e.g., OpenSSL) are not affected.
• No known mitigations other than applying the patch.

Mitigation

The vulnerability is fixed in Exim 4.99.3. The patch ensures that the input‑processing stack is cleanly reset when a TLS close notification is received during an active BDAT transfer, preventing stale pointers from being used.

All users are strongly advised to upgrade to version 4.99.3 or later as soon as possible.

Historical Context

This is not the first critical use‑after‑free bug in Exim. In late 2017, Exim patched a similar vulnerability (CVE‑2017‑16943) that allowed unauthenticated attackers to achieve remote code execution via specially crafted BDAT commands. The 2017 bug had a CVSS score of 9.8.³

References

• Exim security advisory (CVE‑2026‑45185): https://www.exim.org/static/doc/security/EXIM-Security-2026-05-01.1/EXIM-Security-2026-05-01.1.txt
• XBOW blog post on Dead.Letter: https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim
• CVE‑2017‑16943 details: https://devco.re/blog/2017/12/11/Exim-RCE-advisory-CVE-2017-16943-en/

Footnotes

1. Exim advisory, May 1 2026. ↩

2. Interview with Federico Kirschbaum, XBOW. ↩

3. CVE‑2017‑16943 advisory. ↩