Exim has published a critical update that corrects a post-memory-release vulnerability (use-after-free) in the analysis of the BDAT message body when the TLS battery is implemented with GnuTLS. Identified as CVE-2026-45185 (Dead.Letter), the failure allows a client who can establish a TLS connection to cause heap corruption and potentially run remote code without authentication, taking advantage of the CHUNKING (BDAT) extension of the SMTP protocol.
From the technical point of view, the error appears during the TLS closing sequence: if a client sends a close _ notify alert before completing the BDAT transfer and then injects a clear text byte on the same TCP connection, Exim can end up writing on an already released buffer. That only byte overwrites memory assignment metadata, which opens the way to exploitation techniques that scale corruption into useful primitives for an attacker. The discovery was reported by Federico Kirschbaum of XBOW on May 1, 2026 and the correction has been included in the version 4.99.3.
Vulnerability affects Exim series from 4.97 to 4.99.2, but with a significant exception: only impacts binaries compiled with USE _ GNUTLS = yes. The deployments using other TLS libraries such as OpenSSL are not affected by this particular failure. This forces administrators to verify not only the package version, but also how their Exim was compiled.
The operation of the failure requires no prior privileges or authentication, and is based only on the ability to negotiate a TLS session and use BDAT. In practice this means that exposed mail servers that announce CHUNKING in their EHLO response and that have been compiled with GnuTLS can be attacked from the network. Since the necessary sequence is relatively simple and the failure alters internal structures of the locator, researchers call it a very high risk.
The immediate recommendations are clear: update Exim to version 4.99.3 as soon as possible. There are no complete mitigation to replace the patch as per the project's notice, so remaining in previous versions leaves the infrastructure at risk. If you cannot apply the update immediately, consider temporary mitigation measures until it is possible to park: restrict the access of unreliable customers to the SMTP service through control lists and firewalls, temporarily remove TLS support based on GnuTLS or add up Exim using another TLS library (e.g. OpenSSL) if that is feasible in your environment.
To quickly check the TLS version and configuration of your installation you can run Exim commands to view the installed version and, in many systems, review whether Exim was compiled with GnuTLS. A practical approach is to consult the exim -bV output or system packaging documentation, and check if your server announces CHUNKING in the EHLO negotiation. In addition, monitor Ads by unexpected reboot, core s or BDAT patterns combined with TLS closures, as attempts to operate may leave traces in connection records and process failures.
In the medium-term operational plane, it is appropriate to incorporate these actions: implement inventory management that distinguishes not only software versions but compilation options, automate tests in staging environments before deploying critical updates, and review the SMTP service exposure surface (which ports and which customers are authorized). It is also recommended to have signature-based detection and TLS / SMTP traffic analysis to identify unusual sequences related to BDAT and close _ notify.
This episode recalls dangerous precedents: Exim had already patched an extremely critical after-free use in 2017 (CVE-2017-16943), which allowed remote exploitation by BDAT. The recurrence of BDAT management failures underlines the complexity of implementing protocol extensions that interact with TLS session closures and buffer management. Maintaining up-to-date TLS and MTA libraries is an essential preventive measure.
You can find the release and resources of the Exim project on your official website https: / / www.exim.org / and consult the vulnerability register in the national vulnerability database in https: / / nvd.nist.gov / vuln / detail / CVE-2026-45185. For information on the above TLS libraries, see https: / / www.gnutls.org / and https: / / www.openssl.org /.
In short: identify which hosts run Exim compiled with GnuTLS, prioritize the update to Exim 4.99.3, monitor signs of exploitation in the records and, if you cannot park immediately, apply access controls and consider temporary compilation alternatives to reduce exposure. The gravity and simplicity of the exploitable sequence make this vulnerability a priority for mail managers in production.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...