CVE-2017-16943
published 2017-11-25CVE-2017-16943: The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service…
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
46.71%
98.7th percentile
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | exim4 | < exim4 4.89-12 (bookworm) | exim4 4.89-12 (bookworm) |
| exim | exim | — | — |
| exim | exim | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for BDAT/CHUNKING SMTP commands followed by malformed or oversized header data on port 25. The PoC sends a long string ('a'*0x1250 or 'a'*0x1280) with a trailing unprintable character (0x7f) before issuing BDAT to trigger the use-after-free. ↗
- →Alert on SMTP sessions that send a BDAT command immediately followed by another BDAT command with a 0x7f byte prefix (e.g., ':BDAT \x7f'), which is the pattern used to trigger the store_get allocation that causes the use-after-free. ↗
- →Monitor for Exim processes where receive_getc is redirected to bdat_getc (CHUNKING extension active) and unusually large header allocations occur, indicative of heap manipulation via the store_get/store_release use-after-free path in receive_msg (receive.c:1817). ↗
- →Detect exploitation of default-configured Exim by watching for a session that sends a large DATA payload (e.g., 'b'*0x4000) followed by a new MAIL FROM and then BDAT commands — the two-phase heap grooming technique used in the default-config PoC. ↗
- →Flag Exim SMTP sessions where the ESMTP CHUNKING extension (BDAT verb) is used and the session involves manipulation of __free_hook or _IO_2_1_stdout_ memory regions, which are targeted in the RCE exploitation chain. ↗
- ·Mitigation: Disable ESMTP CHUNKING advertisement in Exim's main configuration to make the BDAT verb unavailable and prevent exploitation. Set 'chunking_advertise_hosts =' (empty value) in the main section of the Exim configuration. ↗
- ·The vulnerability affects Exim 4.88 and 4.89 only. The PoC for DKIM-enabled configurations is less complex; the default-configuration exploit requires additional heap grooming steps (DATA command with large payload, then restart with BDAT). ↗
- ·Ubuntu notes that default compiler options for affected releases reduce the vulnerability impact to denial of service rather than code execution. ↗
- ·Fixed in Exim Debian package version 4.89-12 across bookworm, bullseye, forky, sid, and trixie. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Exim vulnerability
vendor_ubuntu·2017-11-27
CVE-2017-16943 Exim vulnerability
Title: Exim vulnerability
Summary: Exim could be made to crash or run programs if it received specially
crafted network traffic.
It was discovered that Exim incorrectly handled memory in the ESMTP
CHUNKING extension. A remote attacker could use this issue to cause Exim to
crash, resulting in a denial of service, or possibly execute arbitrary
code. The default compiler options for affected releases should reduce the
vulnerability to a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
exim: use-after-free in receive_msg function via vectors involving BDAT commands
vendor_redhat·2017-11-23·CVSS 9.8
CVE-2017-16943 [CRITICAL] CWE-416 exim: use-after-free in receive_msg function via vectors involving BDAT commands
exim: use-after-free in receive_msg function via vectors involving BDAT commands
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
Mitigation: if you are running Exim 4.88 or newer, then in the main section of your Exim configuration, set:
chunking_advertise_hosts =
This disables advertising the ESMTP CHUNKING extension, making the BDAT verb unavailable and avoids letting an attacker apply the logic.
Package: exim (Red Hat Enterprise Linux 5) - Not affected
Debian
CVE-2017-16943: exim4 - The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 a...
vendor_debian·2017·CVSS 9.8
CVE-2017-16943 [CRITICAL] CVE-2017-16943: exim4 - The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 a...
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
Scope: local
bookworm: resolved (fixed in 4.89-12)
bullseye: resolved (fixed in 4.89-12)
forky: resolved (fixed in 4.89-12)
sid: resolved (fixed in 4.89-12)
trixie: resolved (fixed in 4.89-12)
GHSA
GHSA-6pmg-h497-cq5q: The receive_msg function in receive
ghsa_unreviewed·2022-05-13
CVE-2017-16943 [CRITICAL] CWE-416 GHSA-6pmg-h497-cq5q: The receive_msg function in receive
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
OSV
CVE-2017-16943: The receive_msg function in receive
osv·2017-11-25·CVSS 9.8
CVE-2017-16943 [CRITICAL] CVE-2017-16943: The receive_msg function in receive
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
No detection rules found.
No public exploits indexed.
HackerOne
Exim use-after-free vulnerability while reading mail header involving BDAT commands
hackerone·2019-11-12·CVSS 9.8
CVE-2017-16943 [CRITICAL] Exim use-after-free vulnerability while reading mail header involving BDAT commands
Exim use-after-free vulnerability while reading mail header involving BDAT commands
Original article is [here](https://devco.re/blog/2017/12/11/Exim-RCE-advisory-CVE-2017-16943-en/)
# Use-after-free in receive_msg leads to RCE
### Vulnerability Analysis
To explain this bug, we need to start with the memory management of exim. There is a series of functions starts with `store_` such as `store_get`, `store_release`, `store_reset`. These functions are used to manage dynamically allocated memory and improve performance. Its architecture is like the illustration below:
Initially, exim allocates a big storeblock (default 0x2000) and then cut it into **stores** when `store_get` is called, using global pointers to record the size of unused memory and where to cut in next allocation. Once the
HackerOne
Exim handles BDAT data incorrectly and leads to crash/hang
hackerone·2019-11-12·CVSS 9.8
CVE-2017-16943 [CRITICAL] Exim handles BDAT data incorrectly and leads to crash/hang
Exim handles BDAT data incorrectly and leads to crash/hang
## Original article is [here](https://devco.re/blog/2017/12/11/Exim-RCE-advisory-CVE-2017-16943-en/)
# Incorrect BDAT data handling leads to DoS
### Vulnerability Analysis
When receiving data with BDAT command, SMTP server should not consider a single dot `‘.’` in a line to be the end of message. However, we found exim does in receive_msg when parsing header. Like the following output:
```
220 devco.re ESMTP Exim 4.90devstart_213-7c6ec81-XX Mon, 27 Nov 2017 16:58:20 +0800
EHLO test
250-devco.re Hello root at test
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN CRAM-MD5
250-CHUNKING
250-STARTTLS
250-PRDR
250 HELP
MAIL FROM:
250 OK
RCPT TO:
250 Accepted
BDAT 10
.
250- 10 byte chunk, total 0
250 OK id=1eJFGW-000C
Bugzilla
CVE-2017-16943 CVE-2017-16944 exim: various flaws [epel-all]
bugzilla·2017-11-27·CVSS 9.8
CVE-2017-16943 [CRITICAL] CVE-2017-16943 CVE-2017-16944 exim: various flaws [epel-all]
CVE-2017-16943 CVE-2017-16944 exim: various flaws [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora EPEL. Wh
Bugzilla
CVE-2017-16943 exim: use-after-free in receive_msg function via vectors involving BDAT commands
bugzilla·2017-11-27·CVSS 9.8
CVE-2017-16943 [CRITICAL] CVE-2017-16943 exim: use-after-free in receive_msg function via vectors involving BDAT commands
CVE-2017-16943 exim: use-after-free in receive_msg function via vectors involving BDAT commands
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
Upstream bug:
https://bugs.exim.org/show_bug.cgi?id=2199
Upstream patch:
https://git.exim.org/exim.git/commitdiff/4e6ae6235c68de243b1c2419027472d7659aa2b4
Discussion:
Created exim tracking bugs for this issue:
Affects: epel-all [bug 1517686]
Affects: fedora-all [bug 1517687]
---
Mitigation:
if you are running Exim 4.88 or newer, then in the main section of your Exim configuration, set:
chunking_advertise_hosts =
This disables advertising the ESMTP CHUNKING extension, making
Bugzilla
CVE-2017-16943 CVE-2017-16944 exim: various flaws [fedora-all]
bugzilla·2017-11-27·CVSS 9.8
CVE-2017-16943 [CRITICAL] CVE-2017-16943 CVE-2017-16944 exim: various flaws [fedora-all]
CVE-2017-16943 CVE-2017-16944 exim: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. Whi
Hackernews
New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
blogs_hackernews·2026-05-12·CVSS 9.8
CVE-2026-45185 [CRITICAL] New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution.
Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email.
The vulnerability, tracked as CVE-2026-45185, aka Dead.Letter, has been described as a use-after-free vulnerability in Exim's binary data transmission (BDAT) message body parsing when a TLS connection is handled by GnuTLS.
"The vulnerability is triggered during BDA
http://openwall.com/lists/oss-security/2017/11/25/1http://openwall.com/lists/oss-security/2017/11/25/2http://openwall.com/lists/oss-security/2017/11/25/3http://www.openwall.com/lists/oss-security/2021/05/04/7http://www.securitytracker.com/id/1039872https://bugs.exim.org/show_bug.cgi?id=2199https://git.exim.org/exim.git/commit/4090d62a4b25782129cc1643596dc2f6e8f63bdehttps://git.exim.org/exim.git/commitdiff/4e6ae6235c68de243b1c2419027472d7659aa2b4https://github.com/LetUsFsck/PoC-Exploit-Mirror/tree/master/CVE-2017-16944https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.htmlhttps://www.debian.org/security/2017/dsa-4053http://openwall.com/lists/oss-security/2017/11/25/1http://openwall.com/lists/oss-security/2017/11/25/2http://openwall.com/lists/oss-security/2017/11/25/3http://www.openwall.com/lists/oss-security/2021/05/04/7http://www.securitytracker.com/id/1039872https://bugs.exim.org/show_bug.cgi?id=2199https://git.exim.org/exim.git/commit/4090d62a4b25782129cc1643596dc2f6e8f63bdehttps://git.exim.org/exim.git/commitdiff/4e6ae6235c68de243b1c2419027472d7659aa2b4https://github.com/LetUsFsck/PoC-Exploit-Mirror/tree/master/CVE-2017-16944https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.htmlhttps://www.debian.org/security/2017/dsa-4053
2017-11-25
Published