Exim BDAT Vulnerability Risks Email Servers with CVSS Score of 9.8
A critical vulnerability has been identified in Exim, a widely used Mail Transfer Agent (MTA) on Unix-like systems, raising significant security concerns. The vulnerability, tracked as CVE-2026-45185, has been assigned a CVSS score of 9.8, categorizing it as a severe threat. Internally referred to as “Dead.Letter,” this remote use-after-free vulnerability can lead to memory corruption and potentially allow for code execution under specific conditions involving GnuTLS.
Exim has promptly released a security update to address this flaw. The vulnerability primarily impacts configurations where Exim is compiled with GnuTLS support enabled, making it crucial for organizations using this setup to take immediate action.
Technical Overview of the Exim BDAT Vulnerability
The Exim BDAT vulnerability stems from how Exim manages BDAT (Binary Data) SMTP message transfers when TLS sessions are unexpectedly terminated. The flaw specifically arises in the message body parsing logic when a TLS close_notify alert is received before a BDAT transfer is completed.
In this scenario, a use-after-free vulnerability occurs when Exim continues to process incoming data after the TLS session teardown has already freed internal memory buffers. If a client sends an additional byte in cleartext over the same TCP connection, Exim may attempt to write into already freed heap memory. This results in memory corruption, which can be exploited under certain conditions to achieve code execution.
Exim maintainers have detailed the triggering sequence: the vulnerability manifests when a TLS session is closed via close_notify during an active BDAT transfer, followed by continued data transmission on the same connection. This unexpected state transition allows the Exim BDAT vulnerability to surface in affected builds.
Affected Configurations and Scope of CVE-2026-45185
The vulnerability affects Exim versions 4.97 through 4.99.2, but only when compiled with USE_GNUTLS=yes. Systems built with other TLS backends, such as OpenSSL, are not impacted.
Key affected conditions include:
- Exim versions 4.97 to 4.99.2
- Builds using GnuTLS
- SMTP sessions utilizing the CHUNKING (BDAT) extension
- TLS connections interrupted by close_notify during BDAT processing
Due to the nature of the use-after-free vulnerability, exploitation relies on precise timing and protocol manipulation, but it remains classified as remotely triggerable over network connections.
Security Advisory Timeline for the Exim BDAT Vulnerability
The coordinated disclosure process for CVE-2026-45185 followed a structured timeline beginning in early May 2026:
- 2026-05-01 17:29 UTC: Initial report submitted by Federico Kirschbaum from XBOW Security.
- 2026-05-04 20:00 UTC: Follow-up requesting status of the report.
- 2026-05-05 ~02:53 UTC: Exim maintainers acknowledged the issue and confirmed a private fix was underway.
- 2026-05-07 14:14 UTC: Disclosure coordination discussion initiated by the reporter.
- 2026-05-07 22:00 UTC: Notification sent to distribution maintainers via distros@openwall.
- 2026-05-10 20:00 UTC: Restricted fix access shared with distributors.
- 2026-05-12 14:00 UTC: Public advisory and patch release.
The official advisory, EXIM-Security-2026-05-01.1, confirmed the issue as a remote use-after-free (UAF) class vulnerability and noted that the final CVE assignment was pending at the time of release.
Impact of the Exim BDAT Vulnerability on Mail Transfer Systems
Given Exim’s role as a widely deployed MTA, the Exim BDAT vulnerability poses significant implications for mail infrastructure that relies on GnuTLS-backed TLS sessions. The flaw is particularly relevant in environments where SMTP CHUNKING (BDAT) is enabled, as it directly interacts with message body transfer behavior.
The severity of the vulnerability is underscored by its potential for memory corruption. The CVSS rating of 9.8 reflects the possibility that a successful exploit could escalate into code execution, depending on system conditions and memory layout.
The issue was resolved in Exim version 4.99.3, which introduces corrected handling of TLS session teardown during BDAT transfers. This fix ensures that internal processing states are properly reset when a close_notify alert is received, preventing stale memory references and eliminating the use-after-free vulnerability condition.
According to the advisory, there is no known mitigation other than upgrading. Administrators running affected versions are strongly advised to move to Exim 4.99.3 or later as soon as possible.
For further details on the Exim BDAT vulnerability, visit the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
