Skip to main content
CybersecurityVulnerability Management

Exim BDAT Flaw Exposes GnuTLS Builds to Code Execution Risk

Rows of computer servers and networking equipment in a brightly-lit mail server room.

CVE-2026-45185, aka Dead.Letter, is a use-after-free vulnerability in Exim's BDAT handling that can lead to heap corruption and potential code execution when Exim is built with GnuTLS.

How the BDAT + TLS sequence can corrupt memory

Exim's advisory explains the precise trigger: "The vulnerability is triggered during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, and then follows up with a final byte in cleartext on the same TCP connection." In that sequence, Exim tears down the TLS session and frees its TLS transfer buffer while a nested BDAT receive wrapper can still process incoming bytes.

Federico Kirschbaum, head of Security Lab at XBOW, described the low-level action that leads to corruption: "During TLS shutdown, Exim frees its TLS transfer buffer – but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (\n) into the freed region," he said. "That one-byte write lands on Exim's allocator metadata, corrupting the allocator's internal shape; the exploit then leverages that corruption to gain further primitives."

Which Exim versions and builds are at risk

The bug impacts all Exim versions from 4.97 up to and including 4.99.2, but it is limited to builds that use GnuTLS. Specifically, the issue affects Exim when built with USE_GNUTLS=yes; builds that rely on other TLS libraries such as OpenSSL are not impacted.

According to Exim, an attacker only needs the ability to establish a TLS connection and to use the CHUNKING (BDAT) SMTP extension to trigger the sequence. That makes the technical prerequisites narrow: TLS-capable clients that use BDAT chunking and that can send a close_notify followed by a cleartext byte on the same TCP connection.

Discovery, attribution, and severity

Federico Kirschbaum of XBOW reported the flaw on May 1, 2026. XBOW characterized the finding as significant, calling it "one of the highest-caliber bugs" discovered in Exim to date and noting that triggering it "requires almost no special configuration on the server."

The vulnerability is tracked publicly as CVE-2026-45185 and has been given the nickname Dead.Letter. Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email; the advisory makes clear the bug sits in Exim's BDAT message body parsing when TLS is provided by GnuTLS.

Patch, limitations, and recommended action

Exim has released a fix in version 4.99.3. "The fix ensures that the input processing stack is cleanly reset when a TLS close notification is received during an active BDAT transfer, preventing the stale pointers from being used," Exim noted.

Crucially, Exim's advisory states that "All users are advised to upgrade as soon as possible. There are no mitigations that resolve the vulnerability." Given that explicit guidance, the only fully effective remediation is to apply the update to 4.99.3 for affected builds.

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: Verify whether deployed Exim builds were compiled with USE_GNUTLS=yes and identify hosts running Exim 4.97 through 4.99.2. Prioritize upgrading to Exim 4.99.3 on exposed systems because, per Exim, there are no other mitigations that resolve the vulnerability.
  • Affected enterprises and mail operators: Because the exploit leverages BDAT chunking and a permitted TLS shutdown sequence, operators should inventory servers that accept BDAT and TLS connections and apply the patch rapidly to reduce the risk of heap corruption and potential code execution.
  • End users and administrators of non-GnuTLS builds: Systems using other TLS libraries such as OpenSSL are not affected, but administrators should still confirm build options and versions rather than assume safety by library alone.

This is not Exim's first encounter with high-severity BDAT-related use-after-free flaws. The advisory recalls that in late 2017 Exim patched a use-after-free vulnerability in the SMTP daemon (CVE-2017-16943, CVSS score: 9.8) that could have been exploited by unauthenticated attackers via specially crafted BDAT commands to achieve remote code execution.

Exim maintainers and the researcher who reported the issue have provided a clear path: upgrade to 4.99.3. The record shows that BDAT parsing plus TLS state management is a brittle intersection; until the patched code is widely deployed, exposed GnuTLS-built Exim servers remain at material risk. For operators of mail infrastructure, the choice is simple and urgent: apply the 4.99.3 update without delay.

Original advisory: https://thehackernews.com/2026/05/new-exim-bdat-vulnerability-exposes.html