Exim BDAT Memory Corruption Flaw in GnuTLS Builds Enables Code Execution

First reported

12.05.2026 19:44

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A severe use-after-free vulnerability in Exim's BDAT message body parsing under GnuTLS configurations allows unauthenticated attackers to trigger memory corruption and achieve code execution. Exim versions 4.97 through 4.99.2 using USE_GNUTLS=yes are affected. Attackers need only establish a TLS connection and leverage the CHUNKING (BDAT) SMTP extension to exploit the flaw. The issue arises when a TLS close_notify alert is sent before BDAT body transfer completes, followed by a residual cleartext byte that writes to a freed memory buffer during session teardown, corrupting the allocator metadata. Exploitation grants further primitives for code execution.

Timeline

12.05.2026 19:44 1 articles · 3h ago

Exim BDAT Use-After-Free Vulnerability (CVE-2026-45185) in GnuTLS Builds Patched
Exim released version 4.99.3 on May 12, 2026, to address CVE-2026-45185, a use-after-free flaw in BDAT parsing when GnuTLS is used. The vulnerability allows unauthenticated attackers to achieve code execution via a crafted TLS close_notify sequence. All Exim builds using GnuTLS from versions 4.97 to 4.99.2 are affected. Exploitation requires a TLS connection and BDAT support; no mitigations exist beyond upgrading to 4.99.3.
Show sources

New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution — thehackernews.com — 12.05.2026 19:44
Open in new tab

Information Snippets

CVE-2026-45185 (Dead.Letter) is a use-after-free vulnerability in Exim's BDAT parsing logic triggered during TLS close_notify alerts sent before BDAT body transfer completes.
First reported: 12.05.2026 19:44

1 source, 1 article
Show sources
- New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution — thehackernews.com — 12.05.2026 19:44
The flaw impacts Exim versions 4.97 to 4.99.2 only when built with USE_GNUTLS=yes; OpenSSL builds are unaffected.
First reported: 12.05.2026 19:44

1 source, 1 article
Show sources
- New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution — thehackernews.com — 12.05.2026 19:44
Exploitation requires establishing a TLS connection and using the CHUNKING (BDAT) SMTP extension; no special server configuration is needed beyond enabling GnuTLS and BDAT.
First reported: 12.05.2026 19:44

1 source, 1 article
Show sources
- New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution — thehackernews.com — 12.05.2026 19:44
The vulnerability was disclosed by Federico Kirschbaum of XBOW on May 1, 2026, and patched in Exim version 4.99.3 released on May 12, 2026.
First reported: 12.05.2026 19:44

1 source, 1 article
Show sources
- New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution — thehackernews.com — 12.05.2026 19:44
The flaw enables heap corruption via a single-byte write into freed allocator metadata during TLS shutdown, allowing attackers to gain further exploitation primitives.
First reported: 12.05.2026 19:44

1 source, 1 article
Show sources
- New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution — thehackernews.com — 12.05.2026 19:44
There are no mitigations available; immediate upgrade to Exim 4.99.3 is required to remediate the issue.
First reported: 12.05.2026 19:44

1 source, 1 article
Show sources
- New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution — thehackernews.com — 12.05.2026 19:44
This is the second major use-after-free flaw in Exim’s BDAT handling in under a decade; a similar issue (CVE-2017-16943) was patched in late 2017 with a CVSS score of 9.8.
First reported: 12.05.2026 19:44

1 source, 1 article
Show sources
- New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution — thehackernews.com — 12.05.2026 19:44

Summary

Timeline

Exim BDAT Use-After-Free Vulnerability (CVE-2026-45185) in GnuTLS Builds Patched

Information Snippets