cbcvebase.
CVE-2026-45185
published 2026-05-12

CVE-2026-45185: Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.23%
65.1th percentile
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.

Affected

2 ranges
VendorProductVersion rangeFixed in
eximexim>= 4.97 < 4.99.34.99.3
ubuntuexim4

Detection & IOCsextracted from sources · hover to see the quote

  • Flag Exim instances running versions 4.97 through 4.99.2 compiled with USE_GNUTLS=yes as vulnerable; OpenSSL builds are not affected.
  • No authentication is required to trigger the vulnerability — any client capable of establishing a TLS connection and issuing BDAT (CHUNKING extension) commands can attempt exploitation.
  • ·Vulnerability only affects Exim builds compiled with GnuTLS (USE_GNUTLS=yes); Exim builds using OpenSSL are NOT impacted.
  • ·There are no mitigations available short of upgrading to Exim 4.99.3; the fix resets the input processing stack on TLS close_notify during active BDAT transfer.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.