CVE-2026-45185
published 2026-05-12CVE-2026-45185: Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.23%
65.1th percentile
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| exim | exim | >= 4.97 < 4.99.3 | 4.99.3 |
| ubuntu | exim4 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag Exim instances running versions 4.97 through 4.99.2 compiled with USE_GNUTLS=yes as vulnerable; OpenSSL builds are not affected. ↗
- →No authentication is required to trigger the vulnerability — any client capable of establishing a TLS connection and issuing BDAT (CHUNKING extension) commands can attempt exploitation. ↗
- ·Vulnerability only affects Exim builds compiled with GnuTLS (USE_GNUTLS=yes); Exim builds using OpenSSL are NOT impacted. ↗
- ·There are no mitigations available short of upgrading to Exim 4.99.3; the fix resets the input processing stack on TLS close_notify during active BDAT transfer. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Exim vulnerabilities
vendor_ubuntu·2026-06-03·CVSS 5.3
CVE-2026-40687 [MEDIUM] Exim vulnerabilities
Title: Exim vulnerabilities
Summary: Several security issues were fixed in Exim.
Timo Longin discovered that Exim incorrectly handled certain SMTP messages
in PIPELINING/CHUNKING configurations. A remote attacker could possibly use
this issue to perform SMTP smuggling. This issue only affected Ubuntu
14.04 LTS. (CVE-2023-51766)
It was discovered that Exim incorrectly handled certain malformed JSON
data in headers. A remote attacker could possibly use this issue to crash
Exim, resulting in a denial of service, or execute arbitrary code. This
issue only affected Ubuntu 20.04 LTS. (CVE-2026-40685)
It was discovered that Exim incorrectly handled certain malformed UTF-8
headers. A remote attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu
GHSA
GHSA-fhg4-whcv-f8v4: Exim before 4
ghsa_unreviewed·2026-05-12
CVE-2026-45185 [CRITICAL] CWE-416 GHSA-fhg4-whcv-f8v4: Exim before 4
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
VulDB
Exim up to 4.99.2 TCP Connection close_notify use after free
vuldb·2026-05-12
CVE-2026-45185 [CRITICAL] Exim up to 4.99.2 TCP Connection close_notify use after free
A vulnerability identified as critical has been detected in Exim up to 4.99.2. Impacted is the function close_notify of the component TCP Connection Handler. This manipulation causes use after free.
The identification of this vulnerability is CVE-2026-45185. It is possible to initiate the attack remotely. There is no exploit available.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
blogs_hackernews·2026-05-18·CVSS 6.1
CVE-2026-42897 [MEDIUM] ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted.
The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production incident. AI is speeding up vulnerability discovery, attackers are moving quickly, and old exposure still keeps paying off.
Patch the quiet risks first. Let’s g
Hackernews
New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
blogs_hackernews·2026-05-12·CVSS 9.8
CVE-2026-45185 [CRITICAL] New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution.
Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email.
The vulnerability, tracked as CVE-2026-45185, aka Dead.Letter, has been described as a use-after-free vulnerability in Exim's binary data transmission (BDAT) message body parsing when a TLS connection is handled by GnuTLS.
"The vulnerability is triggered during BDA
Bugzilla
CVE-2026-45185 exim: Exim: Arbitrary code execution via use-after-free in BDAT body parsing. [epel-all]
bugzilla·2026-05-13·CVSS 9.8
CVE-2026-45185 [CRITICAL] CVE-2026-45185 exim: Exim: Arbitrary code execution via use-after-free in BDAT body parsing. [epel-all]
CVE-2026-45185 exim: Exim: Arbitrary code execution via use-after-free in BDAT body parsing. [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45185 exim: Exim: Arbitrary code execution via use-after-free in BDAT body parsing. [fedora-all]
bugzilla·2026-05-13·CVSS 9.8
CVE-2026-45185 [CRITICAL] CVE-2026-45185 exim: Exim: Arbitrary code execution via use-after-free in BDAT body parsing. [fedora-all]
CVE-2026-45185 exim: Exim: Arbitrary code execution via use-after-free in BDAT body parsing. [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45185 exim: Exim: Arbitrary code execution via use-after-free in BDAT body parsing.
bugzilla·2026-05-12·CVSS 9.8
CVE-2026-45185 [CRITICAL] CVE-2026-45185 exim: Exim: Arbitrary code execution via use-after-free in BDAT body parsing.
CVE-2026-45185 exim: Exim: Arbitrary code execution via use-after-free in BDAT body parsing.
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
https://code.exim.org/exim/wiki/wiki/EximSecurityhttps://exim.orghttps://exim.org/static/doc/security/CVE-2026-45185.txthttps://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/https://news.ycombinator.com/item?id=48111748https://www.openwall.com/lists/oss-security/2026/05/12/4https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-eximhttp://www.openwall.com/lists/oss-security/2026/05/12/25
2026-05-12
Published