New crucial Exim mailer flaw permits distant code execution

A crucial vulnerability affecting sure configurations of the Exim open-source mail switch agent might be exploited by an unauthenticated distant attacker to execute arbitrary code.

Recognized as CVE-2026-45185, the security problem impacts some Exim variations earlier than 4.99.3 that use the default GNU Transport Layer Safety (GnuTLS) library for safe communication. It’s a user-after-free (UAF) flaw triggered through the TLS shutdown whereas dealing with BDAT chunked SMTP site visitors.

Exim frees a TLS switch buffer however later continues utilizing stale callback references that may write information into the freed reminiscence area, which might result in unauthenticated distant code execution (RCE).

Exim is a extensively deployed open-source mail switch agent (MTA) used to ship, obtain, and route electronic mail on Linux and Unix servers. It’s used on Linux servers, in shared internet hosting environments, enterprise mail techniques, and on Debian- and Ubuntu-based distributions, the place it has traditionally been the default mail server.

CVE-2026-45185 was found and reported by XBOW researcher Federico Kirschbaum. It impacts Exim variations 4.97 by means of 4.99.2 on builds compiled with GnuTLS which have STARTTLS and CHUNKING marketed. OpenSSL-based builds are usually not affected.

Attackers exploiting the vulnerability may execute instructions on the server in addition to entry Exim information and emails, and probably pivot additional into the surroundings relying on server permissions and configuration.

XBOW reported the vulnerability to the Exim maintainers on Might 1st and acquired an acknowledgment on Might fifth. Impacted Linux distributions had been notified three days later.

A repair for CVE-2026-45185 was launched in Exim model 4.99.3.

AI-assisted exploit construct

XBOW studies that creating the proof-of-concept (PoC) exploit was a seven-day problem between the corporate’s autonomous AI-driven growth system, XBOW Native, and a human researcher assisted by a big language mannequin.

Whereas XBOW Native efficiently produced a working exploit for a simplified goal Exim server that had no Deal with Area Structure Randomization (ASLR) and non-PIE (Place Impartial Executables) binary.

In a second try, the LLM achieved an exploit on a machine with ASLR, however nonetheless a non-PIE binary.

“[…] as an alternative of constant to assault glibc’s allocator with off-the-shelf mechanisms, XBOW Native had taken on Exim’s personal allocator,” XBOW researchers say.

Regardless of the stunning consequence beneath, it was the human researcher who gained the race, with help from the LLM for duties corresponding to assembling information and testing exploitation avenues.

Whereas the researcher acknowledged the spectacular velocity of the LLM, they realized the necessity to form the work surroundings as an alternative of letting the mannequin create its personal house.

“Actually, I do not suppose LLMs alone are fairly prepared to write down exploits towards real-world software program but. After this expertise, I feel it could actually clear up one thing CTF-shaped, however I do not see them reaching the extent of actual manufacturing targets simply but.”

Nonetheless, the researcher acknowledged the essential function of AI instruments in serving to people perceive unfamiliar code and dig deeper into suspicious areas a lot quicker than with out them.

To mitigate the danger, customers of Ubuntu and Debian-based Linux distributions ought to apply the out there Exim updates (v4.99.3) by means of their package deal managers.