Exim has launched security updates to deal with a extreme security problem affecting sure configurations that might allow reminiscence corruption and potential code execution.
Exim is an open-source Mail Switch Agent (MTA) designed for Unix-like methods to obtain, route, and ship electronic mail.
The vulnerability, tracked as CVE-2026-45185, aka Lifeless.Letter, has been described as a use-after-free vulnerability in Exim’s binary knowledge transmission (BDAT) message physique parsing when a TLS connection is dealt with by GnuTLS.
“The vulnerability is triggered throughout BDAT message physique dealing with when a shopper sends a TLS close_notify alert earlier than the physique switch is full, after which follows up with a ultimate byte in cleartext on the identical TCP connection,” Exim stated in an advisory launched right this moment.
“This sequence of occasions could cause Exim to write down right into a reminiscence buffer that has already been freed through the TLS session teardown, resulting in heap corruption. An attacker solely wants to have the ability to set up a TLS connection and use the CHUNKING (BDAT) SMTP extension.”
The difficulty impacts all Exim variations from 4.97 as much as and together with 4.99.2. That stated, it solely impacts builds that use USE_GNUTLS=sure, which means builds that depend on different TLS libraries like OpenSSL usually are not impacted.
Federico Kirschbaum, head of Safety Lab at XBOW, an autonomous cybersecurity testing platform, has been credited with discovering and reporting the flaw on Could 1, 2026.
“Throughout TLS shutdown, Exim frees its TLS switch buffer – however a nested BDAT obtain wrapper can nonetheless course of incoming bytes and find yourself calling ungetc(), which writes a single character (n) into the freed area,” Kirschbaum stated. “That one-byte write lands on Exim’s allocator metadata, corrupting the allocator’s inner form; the exploit then leverages that corruption to realize additional primitives.”
XBOW described the vulnerability as “one of many highest-caliber bugs” found in Exim to this point, including that triggering it requires nearly no particular configuration on the server.
The shortcoming has been addressed in model 4.99.3. All customers are suggested to improve as quickly as attainable. There aren’t any mitigations that resolve the vulnerability.
“The repair ensures that the enter processing stack is cleanly reset when a TLS shut notification is acquired throughout an lively BDAT switch, stopping the stale pointers from getting used,” Exim famous.
This isn’t the primary time essential use-after-free bugs in Exim have been disclosed. In late 2017, Exim patched a use-after-free vulnerability within the SMTP daemon (CVE-2017-16943, CVSS rating: 9.8) that unauthenticated attackers might have exploited to realize distant code execution through specifically crafted BDAT instructions and seize management of the e-mail server.
