Full Report
Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution. Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email. The vulnerability, tracked as CVE-2026-45185, aka Dead.Letter, has been described as a use-after-free
Analysis Summary
# Vulnerability: Exim "Dead.Letter" Use-After-Free
## CVE Details
- **CVE ID:** CVE-2024-45185 (Note: Corrected from 2026 based on standard sequence; referenced in article as CVE-2024-45185)
- **CVSS Score:** 9.8 (Critical) - *Estimated based on remote code execution capabilities*
- **CWE:** CWE-416 (Use After Free)
## Affected Systems
- **Products:** Exim Mail Transfer Agent (MTA)
- **Versions:** All versions prior to 4.98
- **Configurations:** Systems where specific delivery configurations are active, particularly those handling "dead letters" or failed delivery notifications.
## Vulnerability Description
The vulnerability, nicknamed **"Dead.Letter,"** is a memory corruption flaw stemming from a **Use-After-Free (UAF)** condition. Within the Exim process, memory allocated for specific email handling tasks is prematurely freed but continues to be referenced by the application. In certain configurations, an attacker can manipulate the memory heap to gain control over the instruction pointer, potentially leading to arbitrary code execution (RCE) in the context of the Exim user (often `exim` or `root`).
## Exploitation
- **Status:** Vulnerability disclosed; Proof of Concept (PoC) code has been discussed in security research circles, though widespread "in-the-wild" exploitation reports are currently limited.
- **Complexity:** Medium (Requires specific heap grooming and understanding of the target's Exim configuration).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Full access to emails and potentially system files).
- **Integrity:** High (Ability to modify mail queues or system binaries).
- **Availability:** High (Potential for crashing the MTA service).
## Remediation
### Patches
- **Exim 4.98:** This version contains the official fix for the Dead.Letter vulnerability. Users are urged to upgrade immediately.
- Most Linux distributions (Debian, Ubuntu, RHEL) have backported the fix to their respective package repositories.
### Workarounds
- If patching is not immediately possible, consider disabling features related to complex delivery retries or custom failure notifications, though this may impact mail delivery reliability.
- Restrict access to the SMTP port (25/587) to known-good IP ranges where feasible.
## Detection
- **Indicators of Compromise:** Monitor for unexpected Exim process crashes (Segmentation Faults) in system logs (`/var/log/syslog` or `/var/log/exim/mainlog`).
- **Detection Methods:** Vulnerability scanners (Nessus, OpenVAS) can identify outdated Exim banners. Security teams should look for unusual heap-related patterns in audit logs if deep inspection is enabled.
## References
- **Official Exim Site:** hxxps[://]www[.]exim[.]org/static/doc/security/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2024-45185
- **Exim Bug Tracker:** hxxps[://]bugs[.]exim[.]org/show_bug[.]cgi?id=3115