A severe security flaw, dubbed “Dead.Letter” (CVE-2026-45185), has emerged within Exim, the widely used open-source Mail Transfer Agent (MTA) for Unix-like systems. This critical use-after-free vulnerability, if left unpatched, could lead to memory corruption and, crucially, remote code execution on affected email servers. Exim has promptly released security updates, urging immediate action from administrators.
The ‘Dead.Letter’ Vulnerability Explained
At its core, CVE-2026-45185 is a use-after-free vulnerability impacting Exim’s handling of binary data transmission (BDAT) message bodies. Specifically, it targets configurations where TLS connections are managed by GnuTLS. The exploit hinges on a precise sequence of events during a BDAT transfer:
- A client initiates a BDAT message body transfer.
- Before the transfer is complete, the client sends a TLS
close_notifyalert. - Immediately following, a final byte is sent in cleartext over the same TCP connection.
This malicious sequence causes Exim to attempt a write operation into a memory buffer that has already been deallocated during the TLS session teardown. The result is heap corruption, a gateway for attackers to gain control.
A Closer Look at the Exploit Mechanism
Federico Kirschbaum, head of Security Lab at XBOW, who discovered and reported the flaw on May 1, 2026, provided a detailed explanation: “During TLS shutdown, Exim frees its TLS transfer buffer – but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (n) into the freed region.”
He further elaborated, “That one-byte write lands on Exim’s allocator metadata, corrupting the allocator’s internal shape; the exploit then leverages that corruption to gain further primitives.” XBOW has categorized this as “one of the highest-caliber bugs” found in Exim to date, emphasizing that its exploitation requires almost no special server configuration beyond the use of GnuTLS.
Who is Affected?
The vulnerability impacts Exim versions ranging from 4.97 up to and including 4.99.2. However, a crucial caveat exists: only builds compiled with USE_GNUTLS=yes
are susceptible. Installations leveraging other TLS libraries, such as OpenSSL, are not at risk from this particular flaw.
The Critical Fix: Upgrade Immediately
Exim has addressed the “Dead.Letter” vulnerability in version 4.99.3. The fix is designed to prevent the exploit by ensuring a clean reset of the input processing stack when a TLS close notification is received during an active BDAT transfer. This prevents the use of stale pointers that could lead to memory corruption.
There are no known mitigations or workarounds for this vulnerability other than upgrading. All users running affected Exim versions with GnuTLS are strongly advised to update to 4.99.3 as soon as possible to protect their email infrastructure from potential compromise.
A Recurring Challenge: Exim’s Use-After-Free History
This isn’t the first time Exim has grappled with critical use-after-free vulnerabilities. In late 2017, a similar flaw (CVE-2017-16943, CVSS score: 9.8) in the SMTP daemon allowed unauthenticated attackers to achieve remote code execution via specially crafted BDAT commands, potentially seizing control of email servers. This history underscores the importance of vigilant patching and robust security practices for Exim administrators.
Stay informed on the latest cybersecurity threats. Follow us on Google News, Twitter, and LinkedIn for exclusive updates and in-depth analysis.
For more details, visit our website.
Source: Link
Leave a comment