Critical Exim BDAT Vulnerability (CVE-2026-45185) Allows Remote Code Execution in GnuTLS Builds

Exim has released version 4.99.3 to patch CVE-2026-45185 (CVSS 9.8), a critical use-after-free vulnerability in the mail transfer agent's BDAT message body parsing that affects builds using GnuTLS. The flaw, dubbed Dead.Letter, was discovered by Federico Kirschbaum of XBOW's Security Lab and reported on May 1, 2026.

The vulnerability is triggered during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, and then follows up with a final byte in cleartext on the same TCP connection. This sequence causes Exim to write into a memory buffer that has already been freed during TLS session teardown, leading to heap corruption. An attacker only needs to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension.

XBOW described the vulnerability as 'one of the highest-caliber bugs' discovered in Exim to date, noting that triggering it requires almost no special configuration on the server. The issue impacts all Exim versions from 4.97 up to and including 4.99.2, but only builds that use USE_GNUTLS=yes. OpenSSL builds are not impacted.

The fix in version 4.99.3 ensures that the input processing stack is cleanly reset when a TLS close notification is received during an active BDAT transfer, preventing stale pointers from being used. There are no mitigations that resolve the vulnerability, so all users are advised to upgrade as soon as possible.

This is not the first time critical use-after-free bugs in Exim have been disclosed. In late 2017, Exim patched a use-after-free vulnerability in the SMTP daemon (CVE-2017-16943, CVSS 9.8) that unauthenticated attackers could exploit to achieve remote code execution via specially crafted BDAT commands. The recurrence of such severe memory corruption flaws in core email infrastructure underscores the importance of rigorous memory safety practices in network-facing software.