Exim Patches Critical Unauthenticated RCE Vulnerability in GnuTLS-Linked Servers

CVE-2026-45185 allows unauthenticated remote code execution on Exim mail servers compiled with GnuTLS. Since there are no available workarounds, an immediate u…

On May 12, 2026, the Exim team released version 4.99.3 to address CVE-2026-45185, a high-severity use-after-free vulnerability that enables unauthenticated remote code execution (RCE) on servers compiled with GnuTLS. The flaw is triggered during BDAT transfers if a client terminates a TLS session with a close_notify alert and then transmits a cleartext byte over the same TCP connection. Security experts warn that there are no alternative mitigations; an immediate upgrade is the only viable defense for administrators of the world's most widely used Unix-like mail transfer agent.

Key Takeaways

CVE-2026-45185 is a use-after-free vulnerability residing in Exim's BDAT parser when the TLS connection is handled via GnuTLS.
The exploit requires a specific sequence: a TLS close_notify during a BDAT transfer followed by a final cleartext byte on the same socket.
Affected versions range from 4.97 to 4.99.2, provided they are compiled with USE_GNUTLS=yes; OpenSSL-based builds are not impacted.
The official Exim advisory confirms the absence of workarounds: upgrading to version 4.99.3 is mandatory to resolve the flaw.

The Trigger Sequence: TLS Shutdown and BDAT Collision

The ESMTP BDAT protocol facilitates the transfer of binary message bodies. During this process, the server expects the GnuTLS-managed session to remain stable until the transfer is finalized. However, if a client sends a close_notify alert before the body transfer completes and subsequently sends a trailing byte in cleartext over the same TCP connection, Exim enters an anomalous state.

According to the official advisory: "The vulnerability is triggered during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, and then follows up with a final byte in cleartext on the same TCP connection." This sequence requires no authentication and does not depend on any specialized server configuration.

As part of the SMTP CHUNKING extension, the BDAT command allows for the precise transmission of binary data without Base64 encoding, reducing overhead for high-volume servers. Its integration with the TLS layer is managed by an internal wrapper that fails to account for cleartext data received after a close_notify, creating an exploitable race condition.

Root Cause: Memory Corruption via ungetc()

The flaw does not reside within GnuTLS itself, but rather in how Exim manages its transfer buffers during the teardown of a cryptographic session. When GnuTLS signals that the secure channel is closing, Exim frees the xfer_buffer structure to clear the connection state. However, the nested BDAT receive wrapper remains active and can still process incoming bytes. In this state, a call to ungetc() writes a '\n' character into a region of memory that has already been deallocated.

Analysis by Federico Kirschbaum of XBOW explains: "During TLS shutdown, Exim frees its TLS transfer buffer — but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (\n) into the freed region." This write operation corrupts the heap allocator's metadata, paving the way for exploit primitives that lead to remote code execution.

"One of the highest-caliber bugs discovered in Exim to date." — XBOW

Attack Surface: Restricted to GnuTLS Builds

The vulnerability does not affect the entire Exim install base. It specifically impacts versions 4.97 through 4.99.2 compiled with the USE_GNUTLS=yes flag. Builds utilizing OpenSSL employ a different TLS session cleanup path and remain unaffected. While many Linux distributions ship Exim with GnuTLS as a default dependency, the exact number of production installations meeting the specific trigger requirements remains difficult to quantify.

Despite the lack of independent data on exposed servers, the theoretical attack surface is vast, particularly for ISPs and hosting providers operating Unix-like platforms. For network operators, the criticality stems from Exim’s role as the default MTA on countless Linux and BSD systems. An unauthenticated RCE on a public-facing service—typically listening on ports 25 or 587—represents a total server compromise vector, potentially leading to internal network lateral movement and the theft of mailbox contents.

No Workarounds: Mandatory Upgrade to 4.99.3

The official advisory is definitive: there are no alternative countermeasures to mitigate the risk beyond applying the patch. Exim corrected the buffer management during TLS shutdown in version 4.99.3, available as of May 12, 2026. There are no configuration workarounds, and firewall-level filters cannot reliably distinguish the malicious packet sequence from a legitimate session teardown without disrupting standard SMTP-TLS traffic.

The severity is heightened by the lack of access barriers; an attacker needs neither valid credentials nor a specific server configuration. As XBOW notes, "triggering this bug requires almost no special configuration on the server," expanding the attack surface to any vulnerable installation reachable over the internet. For administrators, the maintenance cycle must treat this upgrade as a critical, non-deferrable priority.

Recommended Actions

Verify the Build: Determine if your production Exim instance was compiled with USE_GNUTLS=yes and check if the version falls between 4.97 and 4.99.2. If both conditions are met, the server is vulnerable.
Schedule Immediate Upgrade to 4.99.3: The official advisory confirms that version 4.99.3 fixes the defect. Deployment should be treated as a critical security intervention.
Monitor Distribution Channels: If your environment relies on managed packages from Debian, Ubuntu, RHEL, or other distributions, verify the availability of the update in official security repositories before attempting manual compilation.
Consider Source Compilation if Necessary: If a distribution vendor has not yet released an updated package, prepare to build from the official Exim source to minimize the window of exposure.

The CVE-2026-45185 case demonstrates how I/O management complexity in mature software can lead to compositional flaws between separate protocols. The overlap of the TLS teardown process and the BDAT parser has resulted in a zero-click condition that requires no special configuration, making the patch the only effective safeguard. For mail infrastructures, the deadline for remediation is immediate.

Frequently Asked Questions

Why does this only affect GnuTLS builds?

The TLS session teardown in GnuTLS triggers a specific cleanup path for the xfer_buffer that interacts incorrectly with Exim's BDAT receive wrapper. Builds using OpenSSL do not follow this specific code path and are therefore immune, as confirmed by both the Exim advisory and XBOW analysis.

Can I mitigate this without updating Exim?

No. The official advisory explicitly states that no alternative mitigations exist. Firewall rules or configuration changes cannot resolve the use-after-free within the BDAT parser; the only solution is upgrading to version 4.99.3.

Has a full RCE exploit chain been demonstrated publicly?

XBOW has stated that the heap allocator metadata corruption provides the primitives necessary for code execution. However, a complete, end-to-end RCE exploit chain has not been independently verified by third parties at the time of publication, and there are currently no reports of active exploitation in the wild.