Exim Patches Critical Use-After-Free in GnuTLS Builds; Heap Corruption and Code Execution Risk

TL;DR Exim released version 4.99.3 to fix CVE-2026-45185, a use-after-free vulnerability in BDAT message parsing affecting GnuTLS builds. The flaw allows attackers with TLS access and CHUNKING extension support to corrupt heap memory and potentially execute code. Versions 4.97 through 4.99.2 are affected; OpenSSL builds are not impacted. Upgrade immediately; no workarounds exist.

What happened

Exim released a security advisory on May 1, 2026, disclosing CVE-2026-45185, a use-after-free vulnerability in its BDAT (binary data transmission) message body parsing logic. The flaw exists only in builds compiled with GnuTLS support (USE_GNUTLS=yes).

The vulnerability is triggered during a specific sequence: an attacker establishes a TLS connection, sends a close_notify alert before completing a BDAT body transfer, then transmits a final byte in cleartext on the same TCP connection. This ordering causes Exim to write into a memory buffer that has already been freed during TLS session teardown, resulting in heap corruption.

According to Federico Kirschbaum, head of Security Lab at XBOW, the attack works by exploiting the interaction between TLS shutdown and the nested BDAT receive wrapper. When TLS teardown frees the transfer buffer, the BDAT wrapper can still process incoming bytes and call ungetc(), writing a single character into the freed region. This one-byte write corrupts the allocator's internal metadata, which attackers can then leverage to gain further memory manipulation primitives.

The vulnerability affects all versions from 4.97 through 4.99.2. It has been fixed in version 4.99.3.

Why it matters

This is a memory corruption vulnerability in a critical infrastructure component. Exim is an MTA responsible for receiving, routing, and delivering email on Unix-like systems across the internet. MTAs are often exposed to untrusted networks and are frequent targets for exploitation.

The attack surface is minimal: an attacker needs only TLS connection capability and access to the CHUNKING (BDAT) SMTP extension. XBOW noted that triggering the vulnerability requires almost no special server configuration, making it accessible to a broad class of attackers.

Memory corruption leading to heap allocator metadata poisoning typically enables privilege escalation, arbitrary code execution, or denial of service. In the MTA context, successful exploitation could grant attackers control of the mail server and potentially access to stored or transiting email.

The flaw mirrors a previous critical use-after-free in Exim (CVE-2017-16943, CVSS 9.8) patched in late 2017, suggesting use-after-free bugs remain a persistent class of defect in this codebase.

Affected systems and CVEs

Exim 4.97 through 4.99.2 (GnuTLS builds only)
CVE-2026-45185 (Dead.Letter)
CVE-2017-16943 (historical reference; not part of this advisory)

OpenSSL builds are not affected by CVE-2026-45185.

What to do

Upgrade to Exim version 4.99.3 or later immediately.
No mitigations exist short of upgrading. The fix resets the input processing stack when a TLS close notification is received during active BDAT transfer, preventing stale pointers from being dereferenced.
If you run Exim with GnuTLS support on versions 4.97–4.99.2, prioritize this update as a critical patch.

Open questions

Whether TLS libraries other than GnuTLS and OpenSSL are affected remains unspecified in the advisory.
The existence and public availability of working proof-of-concept exploit code is not mentioned.
The scope of real-world impact in production deployments prior to patching is unclear.