Exim has issued security updates for a severe vulnerability in certain mail server setups that could lead to memory corruption and possible code execution. The issue, tracked as CVE-2026-45185, affects versions 4.97 through 4.99.2 and is fixed in 4.99.3.
KEY FACTS
- Issue use-after-free flaw in BDAT message body parsing
- Trigger TLS close_notify during an active BDAT transfer, then a final cleartext byte
- Affected builds only those compiled with USE_GNUTLS=yes
- Fix version 4.99.3 and no other mitigations
- Discovery reported on May 1, 2026 by Federico Kirschbaum of XBOW
In an official security advisory, Exim said the flaw appears when a client ends the TLS session before BDAT body transfer is complete and then sends one more byte over the same TCP connection in cleartext. That sequence can cause the server to write into memory that has already been freed.
The vulnerability affects only builds that use GnuTLS. Exim said versions that rely on other TLS libraries, including OpenSSL, are not impacted. The disclosure says the issue can be reached by an attacker who can establish a TLS connection and use the CHUNKING BDAT SMTP extension.
XBOW said the bug was found by Federico Kirschbaum and described the condition as a one-byte write into freed memory during TLS shutdown. The company said the flaw required little special server configuration. Exim said upgrading to 4.99.3 is the only fix.
Exim has patched similar use-after-free flaws before, including a 2017 bug that could be exploited for remote code execution through crafted BDAT commands. The latest issue does not yet have publicly described exploitation, according to the advisory and disclosure.
WHY IT MATTERS
Mail servers are core infrastructure, and flaws that can corrupt memory may create a path to full server compromise. The update is important for operators running affected Exim builds with GnuTLS, especially where SMTP connections are exposed to untrusted clients.