By rssfeeds-admin Federico Kirschbaum, head of the Security Lab at XBOW, discovered and reported the issue, which has been dubbed Dead.Letter.
The vulnerability carries a massive CVSS severity score of 9.8, making it one of the highest-caliber bugs ever identified in the Exim ecosystem.
Organizations relying on this open-source mail server must take immediate action, as the exploit requires no special configuration and can be triggered silently without any user interaction.
Exim RCE Flaw Disclosed
The technical foundation of this exploit lies in a severe use-after-free memory corruption flaw tracked as CVE-2026-45185.
According to security advisories from Exim and independent analysis by CyCognito, the vulnerability resides specifically in the binary data transmission message body parsing logic when the GnuTLS library handles a TLS connection.
Threat actors can trigger the flaw by manipulating the connection sequence during an active transfer.
When an attacker sends a standard Transport Layer Security close notification alert before the binary data transfer is complete, and then immediately follows up with a final cleartext byte on the same TCP connection, the mail server becomes confused.
This precise sequence of events forces Exim to write into an internal memory buffer that had already been freed during the standard session teardown process.
By intentionally misdirecting a single byte of data, attackers can corrupt the memory allocator’s internal structure.
As XBOW researchers highlighted in their technical disclosure, this single-byte heap corruption is entirely sufficient to escalate privileges and achieve unauthenticated remote code execution.
Security experts emphasize that the attack only requires the ability to establish a secure connection and to use the standard SMTP chunking extension, both of which are enabled by default on modern deployments.
Despite the critical nature of the Dead. Letter vulnerability, the exposure is relatively specific to certain underlying infrastructure choices.
The Hacker News reports that the issue affects only Exim versions 4.97 through 4.99.2 when compiled with the GnuTLS library.
Builds that rely on alternative libraries, such as OpenSSL, remain entirely unaffected by this attack vector.
Consequently, the threat is highly concentrated on Debian, Ubuntu, and Debian-derived Linux distributions that ship the vulnerable packages by default. At the same time, systems like Red Hat Enterprise Linux are generally safe.
System administrators cannot rely on simple workarounds to mitigate this threat. The Exim development team has officially addressed the memory handling flaw in version 4.99.3, and security platforms universally advise upgrading immediately.
Because there are no viable configuration changes that completely resolve the vulnerability without breaking functionality, patching remains the only definitive defense.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post New Critical Exim Mailer Allows Remote Attacker to Execute Arbitrary Code appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.