{"id":2540,"date":"2026-05-13T09:03:32","date_gmt":"2026-05-13T16:03:32","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=2540"},"modified":"2026-05-13T09:03:33","modified_gmt":"2026-05-13T16:03:33","slug":"emerging-threat-cve-2026-45185-exim-remote-code-execution-via-bdat-over-gnutls","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/emerging-threat-cve-2026-45185-exim-remote-code-execution-via-bdat-over-gnutls\/","title":{"rendered":"Emerging Threat: (CVE-2026-45185) Exim Remote Code Execution via BDAT over GnuTLS"},"content":{"rendered":"\n
\"\"
Sample of assets impacted by Exim Dead.Letter vulnerability, identified by the CyCognito Platform<\/em><\/figcaption><\/figure>\n\n\n\n

What is CVE-2026-45185?<\/h2>\n\n\n\n

CVE-2026-45185, nicknamed Dead.Letter, is a use-after-free vulnerability in the BDAT message body parsing path of Exim, the open-source Mail Transfer Agent that runs a large share of the internet’s email servers. The flaw lives in the GnuTLS-backed TLS path, where Exim can free its internal transfer buffer during a TLS shutdown while the SMTP state machine still holds a reference to it. A final byte sent in cleartext on the same TCP connection after a TLS close_notify<\/code> causes Exim to write into that freed memory, corrupting the heap.<\/p>\n\n\n\n

The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical). Exploitation is unauthenticated and requires no user interaction. The attacker needs only the ability to open a TLS connection to the server and use the standard CHUNKING<\/code> (BDAT) SMTP extension, both of which are enabled by default on most internet-facing Exim deployments.<\/p>\n\n\n\n

An unauthenticated network attacker who successfully exploits the flaw can execute arbitrary code in the context of the Exim process, which on most distributions runs with elevated privileges to bind port 25 and read mail spool directories.<\/p>\n\n\n\n

What assets are affected by CVE-2026-45185?<\/h2>\n\n\n\n

The flaw affects Exim versions 4.97 through 4.99.2 when compiled with USE_GNUTLS=yes<\/code>. Builds linked against OpenSSL or other TLS libraries are not vulnerable to this specific path, which means exposure is concentrated on Debian, Ubuntu, and Debian-derived distributions that ship GnuTLS-backed Exim packages by default. Red Hat Enterprise Linux and SUSE-family systems generally ship OpenSSL-linked builds and are out of scope.<\/p>\n\n\n\n

In practice, an affected asset is an internet-facing SMTP server on TCP\/25, TCP\/465, or TCP\/587 that advertises both STARTTLS<\/code> and CHUNKING<\/code> in its EHLO response. Exim is the default MTA on Debian and a common choice for shared hosting providers, university mail systems, small-to-mid-size ISPs, transactional mail relays, and legacy on-premise mail infrastructure. Many of these systems are long-running, lightly managed, and exposed to the entire internet by design.<\/p>\n\n\n\n

Debian published DSA-6265-1 on the same day as the upstream advisory, with fixed packages for oldoldstable, oldstable, and stable. Ubuntu released coordinated updates for supported releases including 24.04 LTS. Operators should not assume their distribution has shipped a fixed package until verified directly against the relevant security tracker.<\/p>\n\n\n\n

What does our data show about exposure patterns?<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Exposure in this set is led by Consumer Discretionary at 24.2% of observed assets, with Industrials contributing 16.9% and Communication Services 12.9%. The remaining 46.1% is spread thinly across Consumer Staples, Health Care, Energy, Financials, Information Technology, Materials, Utilities, and a meaningful tail of unclassified or mixed-portfolio organizations.<\/p>\n\n\n\n

Consumer Discretionary’s lead is consistent with how Exim tends to enter an estate. Retail, hospitality, media, and online services accumulate marketing platforms, regional subsidiaries, white-label storefronts, and acquired brands, each of which often brings its own transactional mail relay. <\/p>\n\n\n\n

Those relays are frequently provisioned by hosting providers using Debian or Ubuntu defaults, which means GnuTLS-backed Exim quietly becomes the SMTP layer for properties the parent organization never directly inventoried.<\/p>\n\n\n\n

The broader cross-sector spread reflects what makes mail infrastructure so persistent on the external attack surface. SMTP servers rarely get decommissioned cleanly. A relay set up for a campaign, a partner integration, or a legacy ticketing system stays reachable on TCP\/25 long after the function it served has been retired, and the team that originally configured it has moved on. Dead.Letter is dangerous precisely because it lives in the part of the estate organizations are least likely to be actively watching.<\/p>\n\n\n\n

Are fixes available?<\/h2>\n\n\n\n

Yes. Exim 4.99.3 was released on May 12, 2026, and is the canonical fix. The patch resets the input processing stack when a TLS close_notify<\/code> is received during an active BDAT transfer, eliminating the stale pointer that the previous code path could write into. Operators building Exim from source should move to 4.99.3 or later.<\/p>\n\n\n\n

For distribution-packaged installs, Debian shipped fixed exim4 packages for stable (4.98.2-1+deb13u2<\/code>), oldstable (4.96-15+deb12u9<\/code>), and oldoldstable (4.94.2-7+deb11u5<\/code>) on May 12, 2026. Ubuntu published coordinated security updates for supported releases including 24.04 LTS. Other Debian-derived distributions are rolling fixes through their own pipelines on varying schedules.<\/p>\n\n\n\n

The Exim advisory and the upstream oss-security thread both state that no effective configuration-based workaround exists. Disabling CHUNKING<\/code> is not a supported mitigation path, and disabling TLS removes the GnuTLS code path but creates a much worse security posture. <\/p>\n\n\n\n

Defenders should treat the version upgrade or distribution patch as the only viable remediation and verify the installed binary is linked against the patched code, not just that the package version string has changed.<\/p>\n\n\n\n

Are there any other recommended actions to take?<\/h2>\n\n\n\n