Full Report
A critical vulnerability affecting certain configurations of the Exim open-source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code. [...]
Analysis Summary
# Vulnerability: Exim Remote Code Execution (UAF) via GnuTLS
## CVE Details
- **CVE ID:** CVE-2026-45185
- **CVSS Score:** Critical (Numerical score not explicitly provided, but categorized as Critical)
- **CWE:** CWE-416 (Use After Free)
## Affected Systems
- **Products:** Exim Mail Transfer Agent (MTA)
- **Versions:** 4.97 through 4.99.2
- **Configurations:**
- Builds compiled with the **GnuTLS** library (OpenSSL builds are unaffected).
- Servers where **STARTTLS** and **CHUNKING** (BDAT) are advertised/enabled.
## Vulnerability Description
CVE-2026-45185 is a Use-After-Free (UAF) vulnerability that occurs during the TLS shutdown sequence. When processing BDAT chunked SMTP traffic, Exim frees a TLS transfer buffer. however, it fails to invalidate stale callback references. These references are subsequently used to write data into the already freed memory region. This memory corruption allows an unauthenticated attacker to take control of the execution flow.
## Exploitation
- **Status:** PoC available (Developed by researchers using AI-assisted methods). Not explicitly reported as exploited in the wild at this time.
- **Complexity:** High (Requires bypassing modern mitigations like ASLR; highly dependent on specific binary compilations like non-PIE).
- **Attack Vector:** Network (Remote, unauthenticated).
## Impact
- **Confidentiality:** High (Access to emails, server data, and potential lateral movement).
- **Integrity:** High (Arbitrary code execution; ability to modify system files or mail).
- **Availability:** High (Potential for system crashes or service takeover).
## Remediation
### Patches
- **Exim version 4.99.3** has been released to resolve this issue. Users should update immediately via their OS package manager (e.g., `apt` for Debian/Ubuntu).
### Workarounds
- While not explicitly detailed in the source, disabling the **CHUNKING** extension or switching to an **OpenSSL** compiled version of Exim would theoretically mitigate the specific attack vector.
## Detection
- **Indicators of Compromise:** Monitor for unusual crashes in the Exim process during TLS handshakes or BDAT transfers.
- **Detection methods:** Review mail logs for malformed BDAT chunks or unexpected TLS closure errors. Vulnerability scanners should check for Exim versions between 4.97 and 4.99.2.
## References
- **Vendor Advisory:** hxxp[://]www[.]openwall[.]com/lists/oss-security/2026/05/12/4
- **Researcher Technical Write-up:** hxxps[://]xbow[.]com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-45185
- **News Source:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/new-critical-exim-mailer-flaw-allows-remote-code-execution/