Critical Exim GnuTLS Flaw Enables Remote Code Execution on Mail Servers

Exim has released a security update for a critical vulnerability that can allow unauthenticated remote attackers to corrupt memory and potentially execute code on affected mail servers. The flaw is tracked as CVE-2026-45185 and was fixed in Exim 4.99.3.

The vulnerability affects Exim builds that use the GnuTLS backend and expose the STARTTLS and CHUNKING features. Attackers do not need an account on the server. They only need to establish a TLS connection and use the BDAT command in a specific way.

The risk is significant because Exim remains one of the most widely deployed mail transfer agents on Unix and Linux systems. A vulnerable internet-facing mail server could face remote compromise if it runs an affected version and configuration.

What CVE-2026-45185 affects

CVE-2026-45185 is a use-after-free vulnerability in Exim’s BDAT body parsing path when the server uses GnuTLS for TLS handling. BDAT is part of the SMTP CHUNKING extension, which lets clients send email message bodies in defined chunks.

The vulnerability affects Exim versions before 4.99.3 in certain GnuTLS configurations. Exim’s advisory says affected systems include versions 4.97 through 4.99.x when built with GnuTLS support and when STARTTLS and CHUNKING are advertised.

Servers using OpenSSL or other TLS libraries are not affected by this specific flaw. Administrators should still verify their build options instead of assuming they are safe based only on package names.

Item	Details
CVE	CVE-2026-45185
Advisory ID	EXIM-Security-2026-05-01.1
Affected software	Exim mail transfer agent
Affected versions	Exim before 4.99.3 in certain GnuTLS configurations
Affected backend	GnuTLS
Unaffected backend	OpenSSL builds are not affected by this specific path
Vulnerability type	Use-after-free
Impact	Heap corruption and possible remote code execution
Fixed version	Exim 4.99.3

How the Exim BDAT bug works

The attack starts with a TLS-enabled SMTP session. The attacker uses the CHUNKING extension and sends message body data through the BDAT command.

During that BDAT transfer, the attacker sends a TLS close_notify alert before the body transfer has completed. This causes Exim’s GnuTLS path to begin tearing down the TLS state while the BDAT parsing logic still has work to do.

The attacker then sends one final cleartext byte on the same TCP connection. Exim can then continue using stale receive state and write into memory that has already been freed.

Why this can lead to code execution

A use-after-free occurs when software continues to use memory after it has been released. In this case, Exim can write into a freed TLS transfer buffer during BDAT processing.

That write can corrupt heap memory. Under the right conditions, memory corruption can move beyond a crash and become a code execution path.

The NVD entry gives the vulnerability a CVSS 3.1 score of 9.8. The vector indicates network attack access, low attack complexity, no privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.

CVSS factor	Meaning for this flaw
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Impact	High confidentiality, integrity, and availability impact
Base score	9.8 Critical

Why mail servers need urgent patching

Mail servers are high-value targets because they sit on the internet and handle trusted communication for businesses, hosting providers, government agencies, and service operators. A remote code execution flaw in a mail transfer agent can give attackers a strong foothold.

If attackers compromise a mail server, they may access stored messages, steal credentials from local configuration files, modify mail routing, plant malware, relay spam, or move deeper into the network.

Even when exploitation only causes a crash, the result can still disrupt mail delivery. For organizations that depend on email for operations, support, legal communication, or customer service, downtime can create immediate business impact.

• Internet-facing Exim servers should receive priority review.
• Systems built with GnuTLS need urgent version checks.
• Servers advertising STARTTLS and CHUNKING are in the relevant exposure path.
• OpenSSL builds are not affected by this specific GnuTLS bug.
• Administrators should upgrade to Exim 4.99.3 or a vendor-provided patched package.

Who discovered the vulnerability

The vulnerability was reported by Federico Kirschbaum of XBOW Security. Exim maintainers coordinated the fix, prepared the security release, and gave Linux distributions early access to patches before public disclosure.

XBOW later published a technical write-up under the name Dead.Letter. The research explains how the bug appears in the GnuTLS receive path and how the BDAT wrapper can continue processing after TLS shutdown begins.

The Exim maintainers publicly released version 4.99.3 on May 12, 2026, and recommended that all affected users upgrade immediately.

How administrators can check exposure

Administrators should first identify the Exim version running on each server. Any system running a version before 4.99.3 needs closer review if the package was built with GnuTLS.

They should also check whether the server advertises STARTTLS and CHUNKING. Those capabilities are common in modern SMTP deployments, so many mail administrators should assume exposure until they verify otherwise.

Package details vary across Linux distributions. Some vendors may backport the fix into older version numbers, so administrators should follow their distribution’s security advisory and changelog rather than relying only on the upstream version string.

1. Check the installed Exim version.
2. Confirm whether the package was built with GnuTLS.
3. Check whether STARTTLS and CHUNKING are advertised.
4. Upgrade to Exim 4.99.3 or the patched vendor package.
5. Restart Exim after patching.
6. Review logs for crashes, unusual SMTP sessions, or suspicious TLS and BDAT activity.
7. Monitor outbound mail queues for signs of abuse after patching.

No reliable configuration workaround replaces patching

The recommended fix is to update Exim. Administrators should not rely on partial mitigations when a patched package is available.

In emergency cases, reducing exposure may involve disabling affected functionality or removing public access until patching is complete. However, changes to STARTTLS or CHUNKING can disrupt mail handling and should be tested carefully.

The safer operational path is to apply the vendor update, restart the service, and verify that the running Exim process uses the patched binary.

Action	Priority	Reason
Upgrade to Exim 4.99.3 or vendor patch	Highest	Removes the vulnerable code path.
Confirm TLS backend	High	Only GnuTLS builds are affected by this specific bug.
Restart Exim	High	Ensures the patched binary is actually running.
Review mail logs	Medium	Helps detect suspicious sessions or crash activity.
Monitor queues and outbound mail	Medium	Helps identify abuse if compromise occurred before patching.

What incident responders should review

If administrators suspect exploitation, they should preserve logs before rotating or rebuilding systems. Mail server logs, system logs, crash reports, core dumps, and network telemetry may help determine whether the vulnerability was targeted.

Responders should also check for signs of post-exploitation. That includes new users, modified Exim configuration files, suspicious binaries, changed mail routing rules, unexpected cron jobs, outbound spam, and unusual network connections.

A confirmed compromise should trigger credential rotation for secrets stored on the server. That may include mail account passwords, database credentials, API keys, relay credentials, SSH keys, and service tokens.

• Preserve Exim logs and system logs.
• Check for abnormal Exim crashes or restarts.
• Inspect Exim configuration files for unauthorized changes.
• Review mail queues and outbound traffic.
• Search for new users, cron jobs, services, or SSH keys.
• Rotate credentials stored on the mail server if compromise is suspected.
• Rebuild the host if attackers gained code execution and persistence cannot be ruled out.

Why this Exim flaw matters

CVE-2026-45185 is serious because it combines remote reachability, no authentication requirement, common SMTP features, and possible code execution. That combination gives attackers a valuable target surface on exposed mail infrastructure.

The scope is narrower than every Exim installation because the issue depends on GnuTLS and advertised SMTP features. Still, many Linux mail servers use configurations that deserve immediate checking.

Organizations should patch quickly and verify deployment. Mail servers often sit at the edge of the network, and attackers closely watch critical MTA disclosures because email infrastructure can support espionage, phishing, malware delivery, and lateral movement.

FAQ