Critical Exim Use-After-Free Vulnerability (CVE-2026-45185) Allows Unauthenticated RCE on Mail Servers
Tags Security ยท Infrastructure ยท OSS
CVE-2026-45185 is a critical use-after-free vulnerability in Exim's BDAT message body parsing path that allows unauthenticated remote code execution on GnuTLS-backed Exim servers (Debian, Ubuntu, and Debian-derived distributions). CVSS 9.8. The bug is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection, causing heap corruption. XBOW researcher Federico Kirschbaum demonstrated a full exploit chain achieving unauthenticated RCE. Exim 4.99.3 was released May 12 as the fix; Debian and Ubuntu shipped coordinated security updates. No effective configuration-based workaround exists.
Technical significance
Exim powers a significant portion of the internet's mail infrastructure, and this vulnerability is trivially exploitable on any GnuTLS-backed installation. The fact that no configuration-based workaround exists means patching is the only remediation. System administrators running Exim on Debian/Ubuntu should treat this as a P1 emergency patch.