[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxvvW9WuezPlIHKdmRIAxBXa8g50vhOLZmiLJ6waOwaQ":3},{"article":4,"iocs":40},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":29,"category":30,"article_tags":34},"553fa590-5322-486e-a6e9-b6036cff3950","New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution","new-exim-bdat-vulnerability-exposes-gnutls-builds-to-potential-code-execution-c50c2a","Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution. Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email. The vulnerability, tracked as CVE-2026-45185, aka Dead.Letter, has been described as a use-after-free","Exim released security updates to address CVE-2026-45185 (Dead.Letter), a critical use-after-free vulnerability in BDAT message body parsing when GnuTLS is used. The flaw is triggered when a TLS close_notify alert arrives during incomplete body transfer, causing heap corruption that can lead to code execution. The vulnerability affects Exim versions 4.97–4.99.2 and has been patched in 4.99.3; no mitigations exist.","Exim BDAT use-after-free vulnerability (CVE-2026-45185) enables RCE in GnuTLS builds.","New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Ravie LakshmananMay 12, 2026Vulnerability \u002F Email Security Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution. Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email. The vulnerability, tracked as CVE-2026-45185 (CVSS score: 9.8), aka Dead.Letter, has been described as a use-after-free vulnerability in Exim's binary data transmission (BDAT) message body parsing when a TLS connection is handled by GnuTLS. \"The vulnerability is triggered during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, and then follows up with a final byte in cleartext on the same TCP connection,\" Exim said in an advisory released today. \"This sequence of events can cause Exim to write into a memory buffer that has already been freed during the TLS session teardown, leading to heap corruption. An attacker only needs to be able to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension.\" The issue impacts all Exim versions from 4.97 up to and including 4.99.2. That said, it only affects builds that use USE_GNUTLS=yes, meaning builds that rely on other TLS libraries like OpenSSL are not impacted. Federico Kirschbaum, head of Security Lab at XBOW, an autonomous cybersecurity testing platform, has been credited with discovering and reporting the flaw on May 1, 2026. \"During TLS shutdown, Exim frees its TLS transfer buffer – but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (\\n) into the freed region,\" Kirschbaum said. \"That one-byte write lands on Exim's allocator metadata, corrupting the allocator's internal shape; the exploit then leverages that corruption to gain further primitives.\" XBOW described the vulnerability as \"one of the highest-caliber bugs\" discovered in Exim to date, adding that triggering it requires almost no special configuration on the server. The shortcoming has been addressed in version 4.99.3. All users are advised to upgrade as soon as possible. There are no mitigations that resolve the vulnerability. \"The fix ensures that the input processing stack is cleanly reset when a TLS close notification is received during an active BDAT transfer, preventing the stale pointers from being used,\" Exim noted. This is not the first time critical use-after-free bugs in Exim have been disclosed. In late 2017, Exim patched a use-after-free vulnerability in the SMTP daemon (CVE-2017-16943, CVSS score: 9.8) that unauthenticated attackers could have exploited to achieve remote code execution via specially crafted BDAT commands and seize control of the email server. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, email security, exim, GnuTLS, Memory Corruption, remote code execution, SMTP, Vulnerability ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fnew-exim-bdat-vulnerability-exposes.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEgrSn3emm_NbwXDi3elR0wo5ErHhg-gPT4-u4zk7MHZg4u0ruMmj2_KGgPF8fz06Riv6Gu5NXMN3eBP8H5bVf6dmvOz-lvb-qrvhLlssLUzl97ZVmIWoIOmMPOGrupv864dt0d4V_dxgaaxYYNuy2z9rbZMWIOcjlwZaiifq4-ktRqlEBCJ6a_m3MFiwq65\u002Fs1600\u002Fexim.jpg","2026-05-12T16:44:00+00:00","2026-05-12T20:00:14.0175+00:00",9,[18,21,24,26],{"name":19,"type":20},"Exim","product",{"name":22,"type":23},"GnuTLS","technology",{"name":25,"type":23},"OpenSSL",{"name":27,"type":28},"XBOW","vendor","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":29,"icon":31,"name":32,"slug":33},null,"Vulnerabilities","vulnerabilities",[35],{"category":36},{"id":37,"icon":31,"name":38,"slug":39},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",[41,45],{"type":42,"value":43,"context":44},"cve","CVE-2026-45185","Use-after-free vulnerability in Exim BDAT parsing with GnuTLS, CVSS 9.8",{"type":42,"value":46,"context":47},"CVE-2017-16943","Prior use-after-free in Exim SMTP daemon, patched in late 2017, CVSS 9.8"]