Use-after-free bug in Exim’s GnuTLS BDAT handling lets remote attackers corrupt memory, with no workaround other than upgrading to version 4.99.3.
The popular Exim email server project today announced that a security vulnerability has been discovered in the platform’s GnuTLS backend. All versions of the software from 4.97 up to and including 4.99.2 are affected. According to the notification on Exim’s mailing list, the bug only impacts builds using GNUTLS=yes. Builds using OpenSSL or other TLS libraries are not affected.
The issue, tracked as CVE-2026-45185 or Dead.Letter, is a use-after-free vulnerability, a memory issue that occurs when a program continues to access already freed memory. In this case, the vulnerability is triggered during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, and then follows up with a final byte in cleartext on the same TCP connection. This can cause Exim to write into a memory buffer that’s already been freed during the TLS session teardown, leading to heap corruption.
“An attacker only needs to be able to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension,” Exim said in an email notification.
The exploit was discovered by Federico Kirschbaum, an Exim contributor and maintainer who’s also head of XBOW Security Lab. In an article on the lab’s website, Kirschbaum and another researcher, Andre Luksenberg, wrote that, “What matters here is that triggering this bug requires almost no special configuration on the server. That, more than the technical shape of the corruption itself, is what makes it one of the highest-caliber bugs discovered in Exim to date.”
There’s no known mitigation other than upgrading, but a patched version of Exim 4.99.3 is already available.
“All users of affected versions are strongly encouraged to upgrade as soon as possible,” the project said. “The fix ensures that the input processing stack is cleanly reset when a TLS close notification is received during an active BDAT transfer, preventing the stale pointers from being used.”
Downloads are available at https://ftp.exim.org/pub/exim/exim4/ and https://code.exim.org/exim/exim/releases.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment