New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Ravie Lakshmanan May 12, 2026 Vulnerability / Email Security Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution. Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email.
The vulnerability, tracked as CVE-2026-45185 (CVSS score: 9.8), aka Dead.Letter, has been described as a use-after-free vulnerability in Exim's binary data transmission (BDAT) message body parsing when a TLS connection is handled by GnuTLS. "The vulnerability is triggered during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, and then follows up with a final byte in cleartext on the same TCP connection," Exim said in an advisory released today. "This sequence of events can cause Exim to write into a memory buffer that has already been freed during the TLS session teardown, leading to heap corruption.
An attacker only needs to be able to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension." The issue impacts all Exim versions from 4.97 up to and including 4.99.2. That said, it only affects builds that use USE_GNUTLS=yes, meaning builds that rely on other TLS libraries like OpenSSL are not impacted. Federico Kirschbaum, head of Security Lab at XBOW, an autonomous cybersecurity testing platform, has been credited with discovering and reporting the flaw on May 1, 2026. "During TLS shutdown, Exim frees its TLS transfer buffer – but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (\n) into the freed region," Kirschbaum said . "That one-byte write lands on Exim's allocator metadata, corrupting the allocator's internal shape; the exploit then leverages that corruption to gain further primitives." XBOW described the vulnerability as "one of the highest-caliber bugs" discovered in Exim to date, adding that triggering it requires almost no special configuration on the server.
The shortcoming has been addressed in version 4.99.3. All users are advised to upgrade as soon as possible. There are no mitigations that resolve the vulnerability. "The fix ensures that the input processing stack is cleanly reset when a TLS close notification is received during an active BDAT transfer, preventing the stale pointers from being used," Exim noted. This is not the first time critical use-after-free bugs in Exim have been disclosed.
In late 2017, Exim patched a use-after-free vulnerability in the SMTP daemon ( CVE-2017-16943 , CVSS score: 9.8) that unauthenticated attackers could have exploited to achieve remote code execution via specially crafted BDAT commands and seize control of the email server. Found this article interesting? Follow us on Google News , Twitter LinkedIn to read more exclusive content we post. Tweet Share Share Share cybersecurity , email security , exim , GnuTLS , Memory Corruption , remote code execution , SMTP , Vulnerability ⚡ Top Stories This Week 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign Trellix Confirms Source Code Breach With Unauthorized Repository Access ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise 2026: The Year of AI-Assisted Attacks Day Zero Readiness: The Operational Gaps That Break Incident Response We Scanned 1 Million Exposed AI Services.
Here's How Bad the Security Actually Is ⭐ Featured Resources [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Guide] Get Practical AI SOC Insights to Improve Threat Detection [Demo] Discover How to Control Autonomous Identity Risks Effectively [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster Cybersecurity Webinars Building Stronger Defenses Stop Patient Zero Attacks Before They Bypass Detection Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points.
Register Reduce AppSec Risk Validate Real Attack Paths Before Attackers Exploit Them Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation. ⚡ Latest News Cybersecurity Resources Build Security Strategy That Earns Executive Buy-In — SANS LDR514, NYC SANS LDR514 in NYC, Aug 10–15: policy, risk frameworks, board communication, and strategic leadership.
Your VPN is Helping Attackers Move as Fast as AI AI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk Management Lead the future of cybersecurity risk management with an online Master’s from Georgetown. Expert Insights Articles Videos From Phishing to Recovery: Breaking the Ransomware Attack Chain May 04, 2026 Read ➝ Mythos is Coming: What the Next Six Months Require Your Biggest Security Risk Isn’t Malware — It's What You Already Trust CTM360 Exposes Global GovTrap Campaign With 11,000+ Fake Government Portals Targeting Citizens Worldwide April 27, 2026 Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.