Exim 'Dead.Letter' Vulnerability: Critical RCE Risk for GnuTLS-Based Builds

Exim released version 4.99.3 on May 12, 2026, to address CVE-2026-45185, a critical use-after-free vulnerability in the SMTP BDAT command parser. The flaw, dubbed "Dead.Letter," enables remote code execution (RCE) on servers compiled with GnuTLS. Reachable without authentication or valid recipient addresses, the vulnerability admits no temporary configuration workarounds; a full binary upgrade is the only definitive defense.

The Crash Chain: close_notify, BDAT, and Heap Corruption

The bug resides in the handling of the BDAT command, used in SMTP chunking to transfer message bodies in blocks. If a client sends a TLS close_notify alert before the transfer is complete, Exim frees the buffer allocated to the GnuTLS session. However, a nested BDAT receive wrapper may still attempt to process incoming data and invoke ungetc(), writing a character into that recently deallocated memory region.

That single byte targets the internal metadata of Exim’s heap allocator, corrupting its structure and enabling arbitrary code execution. Researcher Federico Kirschbaum of XBOW Security, who discovered the flaw on May 1, 2026, and reported it to the development team, described the sequence with surgical precision.

"During TLS shutdown, Exim frees its TLS transfer buffer – but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (\n) into the freed region; that one-byte write lands on Exim's allocator metadata, corrupting the allocator's internal shape." - Federico Kirschbaum, XBOW Security (via The Hacker News)

Exim's security advisory, as reported by The Hacker News, confirms the exact sequence: "The vulnerability is triggered during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, and then follows up with a final byte in cleartext on the same TCP connection." This concatenation forces the server to reuse a stale pointer, leading to unpredictable process stability and potential compromise.

GnuTLS vs. OpenSSL: Why Compilation Choices Matter

The vulnerability exclusively affects builds compiled with USE_GNUTLS=yes. This is a common configuration in Debian and Ubuntu distributions, which often favor GnuTLS to align with system licensing policies. Builds based on OpenSSL are unaffected because they manage the TLS buffer lifecycle differently during connection teardown.

For administrators, this means checking the Exim version alone is insufficient; they must also verify the active compilation configuration. If the server banner or logs indicate GnuTLS usage, the installation is potentially vulnerable to this attack sequence if it falls within the 4.97 to 4.99.2 version range.

Enterprise installations managing autonomous mail flows are at significant risk. An attacker can strike the server before the authentication phase begins, requiring neither a valid account nor an existing recipient in the domain. A full service compromise can be initiated via a single, carefully orchestrated TCP connection.

Legacy Debt: The 2017 BDAT Parser Failure

The severity of Dead.Letter is amplified by its status as a historical regression. A nearly identical use-after-free bug in the BDAT parser was patched in 2017, highlighting technical debt that the SMTP chunking subsystem has struggled to fully retire. The reappearance of a memory flaw in the same component suggests that subsequent code changes may have removed or bypassed the checks introduced nearly a decade ago.

The Exim maintainers accepted the responsible disclosure on May 1, 2026, and required eleven days to prepare and release version 4.99.3. While this was a relatively rapid response, the complexity of the bug left no room for interim workarounds. The lack of temporary mitigations makes the upgrade a mandatory and immediate step for all GnuTLS-based deployments.

The official advisory describes the fix as follows: "The fix ensures that the input processing stack is cleanly reset when a TLS close notification is received during an active BDAT transfer, preventing the stale pointers from being used." This targeted intervention restores consistency to the input stack without altering the general logic of SMTP chunking.

Disclosure Timeline: Eleven Days from Report to Patch

Federico Kirschbaum of XBOW Security submitted the report to the Exim team on May 1, 2026. The public advisory and the release of version 4.99.3 followed on May 12, 2026. While the response speed was commendable, the window left administrators without actionable countermeasures, making the interval particularly dangerous for Internet-facing mail servers.

Debian and Ubuntu: At the Center of Enterprise Risk

Debian and Ubuntu distributions represent the most exposed perimeter in enterprise environments, as they are the most likely to compile Exim with GnuTLS rather than OpenSSL. Field Effect, an MDR vendor that analyzed the corporate impact of the flaw, emphasizes that the absence of temporary workarounds forces administrators into a race against time to update both internal and external mail gateways.

There is currently no precise estimate of the total number of publicly exposed GnuTLS-based Exim servers, nor a definitive schedule for when patched packages will arrive in all Debian and Ubuntu downstream repositories. Administrators are advised to manually verify update availability through their respective distribution channels rather than waiting for automated notifications.

Mitigation and Response

1. Immediately upgrade to Exim 4.99.3 on all inbound mail servers, ensuring the package provided by your distribution includes the official security patch.
2. Verify the USE_GNUTLS compilation flag: if active, the installation is at risk. Builds utilizing OpenSSL do not require intervention for this specific CVE.
3. Do not rely on SMTP restrictions, ACLs, or firewall filters as mitigations. Because the vulnerability is pre-authentication and requires no valid recipient, traditional application-level blocking is ineffective.
4. Monitor SMTP connection logs for anomalous patterns of TLS interruptions during BDAT sessions and report suspicious activity to your relevant CERT while upgrades are finalized.

The Dead.Letter incident underscores how memory vulnerabilities in legacy protocol parsers can resurface with devastating effect when technical debt is not addressed at its root. For Exim, SMTP chunking has proven to be a recurring minefield. Administrators have little choice but to update and audit their compilation chains, recognizing that any delay leaves the server open to total, silent compromise.

Questions and Answers

Why are only GnuTLS builds vulnerable?

The flaw depends on how GnuTLS handles TLS buffer release during connection shutdown. OpenSSL-based builds handle teardown differently and do not present the specific memory path that allows the write-after-free to occur.

Can I mitigate the threat without updating Exim?

No. Multiple sources, including the official advisory and analysis by Field Effect, agree that no configuration workarounds or firewall rules can reliably block the attack, as it occurs pre-authentication.

Are the 2017 bug and Dead.Letter technically identical?

While not confirmed to be byte-for-byte identical, reports describe a nearly identical use-after-free in the same BDAT parser that was addressed in 2017. This recurrence highlights a persistent structural fragility in the SMTP chunking code.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://thehackernews.com/2026/05/new-exim-bdat-vulnerability-exposes.html
• https://thomasharris6.wordpress.com/2026/05/12/new-exim-bdat-vulnerability-exposes-gnutls-builds-to-potential-code-execution/
• https://www.reconbee.com/new-exim-bdat-vulnerability-exposes-gnutls-builds-to-potential-code-execution/
• https://cybersecuritynews.com/new-exim-bdat-gnutls-vulnerability/
• https://fieldeffect.com/blog/critical-exim-flaw-gnutls-builds