Exim 'Dead.Letter' Vulnerability: Unauthenticated RCE Threatens GnuTLS-Based Mail Servers

A critical use-after-free vulnerability in Exim’s BDAT parser (CVE-2026-45185) allows for unauthenticated remote code execution on servers compiled with GnuTLS…

On May 12, 2026, the Exim project released version 4.99.3 to address CVE-2026-45185, a critical flaw dubbed "Dead.Letter." The vulnerability is a use-after-free error in the BDAT parser that can be triggered on builds utilizing the GnuTLS library, potentially leading to unauthenticated remote code execution (RCE). Because no workarounds exist, an immediate update is the only defense—a high-priority task for Debian and Ubuntu servers exposed to the internet.

Key Takeaways

Affected versions include Exim 4.97 through 4.99.2 when compiled with USE_GNUTLS=yes; builds using OpenSSL are not vulnerable.
The exploit is triggered when a client sends a TLS close_notify before a BDAT transfer completes, followed by a final plaintext byte over the same TCP connection.
The attack requires no authentication, valid recipients, or user interaction to achieve arbitrary code execution.
There are no temporary mitigations or workarounds; administrators must prioritize updating to version 4.99.3, particularly on Debian-based distributions.

Technical Breakdown: The BDAT Use-After-Free Chain

The flaw resides in how Exim manages SMTP BDAT chunking when the TLS session is mediated by GnuTLS. According to the advisory released by the Exim project and reported by The Hacker News, the vulnerability manifests during the handling of a BDAT message body. A malicious client initiates the flaw by sending a close_notify alert on the TLS channel before the body transfer is finished, then immediately sends a trailing plaintext byte over the same TCP connection.

During the TLS layer shutdown, Exim frees the buffer allocated for the encrypted transfer. However, the nested BDAT reception wrapper may continue to process incoming bytes. In this state, a call to ungetc() writes a newline character (\n) into the recently freed memory region, corrupting heap allocator metadata. This corruption provides a pathway to remote code execution and the potential for a total compromise of the mail server.

"During TLS shutdown, Exim frees its TLS transfer buffer – but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (\n) into the freed region" – Federico Kirschbaum, head of Security Lab at XBOW.

GnuTLS vs. OpenSSL: Determining Vulnerability

The criticality of the bug is limited to builds compiled with the USE_GNUTLS=yes flag. Exim versions 4.97 to 4.99.2 that utilize this specific cryptographic stack are at risk, while versions built against OpenSSL do not exhibit this behavior. This distinction is determined during the initial compilation of the package or binary rather than by runtime configuration.

Environments using OpenSSL as the TLS provider—including custom builds or distributions with different defaults—do not possess the vulnerable attack surface. Conversely, Debian-based distributions typically use GnuTLS as the default for Exim, significantly expanding the threat surface across a massive segment of internet-facing mail servers.

High Exposure for Debian and Ubuntu Ecosystems

The concentration of risk within the Debian and Ubuntu ecosystems is a result of packaging defaults. As highlighted by Field Effect, Exim packages in Debian-derived distributions are compiled with GnuTLS, rendering servers running versions 4.97 through 4.99.2 immediately vulnerable. The widespread deployment of Exim on these platforms, often directly exposed to the public internet, makes this flaw a high-impact attack vector.

A successful exploit grants more than just service disruption. Unauthenticated RCE allows attackers to intercept mail traffic, exfiltrate credentials from messages or logs, and move laterally through the internal network from the compromised server. At the time of publication, there are no confirmed reports of exploitation in the wild, but the lack of workarounds makes every unpatched instance a low-cost target for attackers.

Remediation and Response

The only effective countermeasure is upgrading to Exim version 4.99.3, released on May 12, 2026. Security researchers and official advisories agree that there are no configurable workarounds or temporary mitigations capable of blocking the attack vector, making the patching process an urgent requirement.

Administrators should follow this operational sequence: First, verify if the Exim build utilizes GnuTLS; if the system uses an OpenSSL build, the risk is negated. Second, identify all internet-facing Debian and Ubuntu servers running versions between 4.97 and 4.99.2.

Third, apply the 4.99.3 update via the distribution’s package manager or by recompiling from official source code. Fourth, ensure the active process has been restarted with the new binary, as an on-disk update without a service restart leaves the vulnerable version active in memory. Given the lack of alternatives, strict patching discipline remains the only line of defense.

The coordinated disclosure by XBOW and the Exim project gives administrators a narrow window for action. While no public proof-of-concept currently exists, every hour of delay increases the measurable attack surface. For organizations relying on Exim with GnuTLS on Debian or Ubuntu, this is not a routine maintenance cycle; it is a critical event requiring immediate intervention to protect exposed instances.

Frequently Asked Questions

Are OpenSSL-based builds truly safe?

Yes. The Exim advisory, as reported by The Hacker News, explicitly states that builds compiled without GnuTLS support are not affected. If your Exim binary is linked against OpenSSL, this vulnerability does not apply.

Is a valid server account required to exploit this flaw?

No. According to Field Effect and reporting from The Hacker Wire, the exploit requires no authentication, valid recipients, or user interaction. An unauthenticated remote attacker can reach the server and trigger the heap corruption sequence.

Is there a configuration change to mitigate risk while waiting to patch?

No. Both the Exim advisory and analysis from Field Effect confirm that no workarounds or effective mitigations exist other than upgrading directly to version 4.99.3. Perimeter limitations may reduce exposure but do not eliminate the underlying vector.

Information has been verified against cited sources and is current as of the date of publication.