Exim BDAT Use-After-Free Remote Code Execution (CVE-2026-45185)
Severity Assessment
- Exploitability: 9/10 - NVD describes unauthenticated remote exploitation conditions in affected Exim configurations.
- Impact: 10/10 - Successful exploitation can allow arbitrary code execution on internet-facing mail infrastructure.
- Weaponization Risk: 8/10 - Public technical detail exists for trigger conditions in BDAT/TLS handling, increasing reproduction risk.
- Patch Urgency: 10/10 - Exim states releases before 4.99.3 are obsolete and identifies this as a security fix.
- Detection Coverage: 5/10 - Public sources describe conditions and impact but do not provide stable IOC sets such as hashes or infrastructure indicators.
NVD lists CVE-2026-45185 as Critical with a CNA CVSS v3.1 base score of 9.8 and vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Summary
CVE-2026-45185 is a remotely reachable use-after-free in Exim’s BDAT body parsing path in certain GnuTLS configurations. NVD states the issue is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer and then sends a final cleartext byte on the same TCP connection, which can cause heap corruption and unauthenticated remote code execution.
Exim indicates that versions before 4.99.3 are obsolete and that 4.99.3 contains the security fix for CVE-2026-45185. Public reporting also notes that OpenSSL-based builds are not affected by this specific condition.
Exploit Chain
Stage 1: Reach exposed SMTP service
An attacker connects to an internet-accessible Exim server running an affected version with the vulnerable GnuTLS/CHUNKING behavior.
Stage 2: Trigger protocol edge case
During BDAT chunked transfer handling, the attacker induces the TLS shutdown sequence (close_notify) and follows with a final cleartext byte on the same TCP connection.
Stage 3: Use-after-free and heap corruption
The server hits a use-after-free condition in the BDAT parsing path, causing heap corruption.
Stage 4: Remote code execution
If exploitation succeeds, the attacker can execute arbitrary code without prior authentication.
Detection Guidance
Exposure identification:
- Identify Exim versions prior to 4.99.3, especially where GnuTLS is used and SMTP CHUNKING/STARTTLS are enabled.
- Prioritize internet-facing MX and relay hosts for immediate review.
Operational controls:
- Upgrade to Exim 4.99.3 or later.
- Where immediate patching is not possible, reduce exposure of vulnerable SMTP endpoints and restrict untrusted network access paths.
Behavioral monitoring:
- Monitor SMTP services for abnormal connection patterns involving TLS shutdown events during BDAT transfers.
- Investigate crashes, restarts, or anomalous process behavior in Exim daemons on exposed servers.
Indicators of Compromise
The cited public sources do not provide universal file hashes, IP addresses, or domain indicators specific to exploitation of CVE-2026-45185.
Potential investigation leads include:
- Unexpected Exim process crashes tied to malformed BDAT/TLS session behavior.
- Unusual SMTP session sequences around TLS
close_notifyand post-shutdown data bytes. - Post-exploitation anomalies on Exim hosts, including unexpected child processes or unauthorized configuration changes.
Disclosure Timeline
| Date | Event |
|---|---|
| 2026-05-12 | NVD published CVE-2026-45185 details describing the BDAT/TLS-triggered use-after-free and RCE impact. |
| 2026-05-12 | Exim security release 4.99.3 published to address CVE-2026-45185. |
| 2026-05-13 | BleepingComputer reported public details, affected version range, and remediation guidance. |
Sources & References
- Exim: Project security notice and release status — Exim, 2026-05-28
- BleepingComputer: New critical Exim mailer flaw allows remote code execution — BleepingComputer, 2026-05-13
- National Vulnerability Database: CVE-2026-45185 — National Vulnerability Database, 2026-05-12