Critical Exim Mail Server Flaw Allows Unauthenticated Remote Code Execution
A critical use-after-free vulnerability in Exim versions 4.97 through 4.99.2 compiled with GnuTLS allows unauthenticated remote attackers to execute arbitrary code on affected mail servers.
A critical vulnerability in the widely used Exim mail transfer agent (MTA) could allow unauthenticated remote attackers to execute arbitrary code on affected servers. Tracked as CVE-2026-45185, the flaw is a use-after-free (UAF) bug that occurs during TLS shutdown when handling BDAT chunked SMTP traffic. Exim frees a TLS transfer buffer but later continues using stale callback references that can write data into the freed memory region, leading to remote code execution.
The vulnerability impacts Exim versions 4.97 through 4.99.2 compiled with the default GnuTLS library for secure communication. OpenSSL-based builds are not affected. The flaw was discovered and reported by XBOW researcher Federico Kirschbaum, who notified Exim maintainers on May 1, 2026, with an acknowledgment received on May 5. Impacted Linux distributions were notified three days later.
Exim is a widely deployed open-source MTA used to send, receive, and route email on Linux and Unix servers. It is commonly found on Linux servers, in shared hosting environments, enterprise mail systems, and on Debian- and Ubuntu-based distributions, where it has historically been the default mail server. Attackers exploiting CVE-2026-45185 could execute commands on the server, access Exim data and emails, and potentially pivot further into the environment depending on server permissions and configuration.
A fix for CVE-2026-45185 was released in Exim version 4.99.3. Users of Debian and Ubuntu-based Linux distributions should apply the available Exim updates through their package managers immediately. The vulnerability is particularly concerning given Exim's widespread deployment and the fact that it can be exploited without authentication.
XBOW also reported that creating a proof-of-concept (PoC) exploit was a seven-day challenge between the company's autonomous AI-driven development system, XBOW Native, and a human researcher assisted by a large language model (LLM). XBOW Native successfully produced a working exploit for a simplified target Exim server without Address Space Layout Randomization (ASLR) and with a non-PIE (Position Independent Executables) binary. In a second attempt, the LLM achieved an exploit on a machine with ASLR but still a non-PIE binary.
Despite the AI's surprising approach—targeting Exim's own allocator instead of glibc's—the human researcher ultimately won the race, with assistance from the LLM for tasks such as assembling files and testing exploitation avenues. The researcher noted that while LLMs are impressive at speed, they are not yet ready to write exploits against real-world software without human guidance, though they can help humans understand unfamiliar code and dig deeper into suspicious areas much faster.
The disclosure of CVE-2026-45185 highlights the ongoing risks posed by memory corruption vulnerabilities in critical internet infrastructure. As Exim remains a cornerstone of email delivery for millions of servers, administrators are urged to prioritize patching to prevent potential widespread exploitation.