By rssfeeds-admin Tracked as CVE-2026-45185 and dubbed “Dead.Letter,” the flaw targets Exim installations running on Linux and Unix-like systems, exposing critical email infrastructure used by enterprises, ISPs, and hosting providers.
The issue specifically impacts Exim versions 4.97 through 4.99.2 when compiled with the GnuTLS library and configured to support both STARTTLS and CHUNKING (BDAT).
Notably, systems using OpenSSL are not affected, offering a key mitigation path for administrators.
New Exim Vulnerability
At its core, CVE-2026-45185 is a remotely exploitable use-after-free (UAF) vulnerability triggered during the processing of TLS-encrypted SMTP sessions combined with BDAT chunked message handling.
The flaw arises from improper memory handling when Exim processes TLS shutdown signals mid-message.
When a client initiates STARTTLS, Exim allocates a 4 KB buffer and routes all SMTP traffic through TLS-aware input handlers.
However, when BDAT chunking is introduced, Exim layers additional parsing logic on top of this TLS pipeline.
The vulnerability occurs when a malicious client sends a TLS close_notify signal during an active BDAT session.
This sequence causes Exim to free the TLS buffer but fail to fully reset internal callback pointers. As a result, stale references remain active, pointing to deallocated memory.
Later, during BDAT parsing, Exim attempts to write a single byte into this freed buffer, triggering a controlled heap corruption condition.
From One-Byte Write to Full Server Compromise
Although the flaw initially provides only a one-byte write primitive, researchers demonstrated that it can be reliably escalated into full remote code execution. Exim’s custom memory allocator (“store”) plays a crucial role in this escalation.
By manipulating allocator metadata, specifically the length field of memory blocks, attackers can trick Exim into miscalculating memory boundaries.
This allows carefully crafted SMTP inputs to overwrite adjacent memory structures, including sensitive pointers and control data.
Security researchers observed multiple exploitation paths. In controlled environments, attackers leveraged glibc heap manipulation and FILE structure overwrites to execute return-oriented programming (ROP) chains.
In real-world scenarios with modern protections like ASLR enabled, attackers instead targeted Exim’s internal function pointers, achieving command execution during ACL processing stages.
Importantly, exploitation requires no authentication and no special configuration beyond the vulnerable GnuTLS and BDAT combination, significantly increasing the attack surface.
The vulnerability also highlights a growing trend: researchers demonstrated that autonomous large language models (LLMs) can assist in generating working exploit chains, accelerating the timeline from disclosure to weaponization.
Exim has addressed the issue in version 4.99.3, which correctly resets internal input states when TLS sessions terminate unexpectedly. Organizations are strongly urged to upgrade immediately.
Where patching is not feasible, administrators can reduce exposure by:
- Switching from GnuTLS to OpenSSL-based builds
- Disabling BDAT/CHUNKING support
- Restricting STARTTLS access from untrusted networks
Given the availability of detailed technical disclosures and proven exploit techniques, CVE-2026-45185 should be treated as a critical, high-priority threat.
Unpatched systems risk complete compromise, including unauthorized email access, lateral movement, and malware deployment across enterprise environments.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post New Exim Vulnerability Enables Arbitrary Code Execution Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.