CVE-2026-45185

Exim · Exim

Exim versions before 4.99.3 contain a use-after-free vulnerability in the BDAT body parsing path, allowing unauthenticated remote code execution via specifically crafted TLS close_notify sequences.

Executive summary

A critical use-after-free vulnerability in Exim allows unauthenticated remote attackers to achieve arbitrary code execution, posing a severe risk to mail infrastructure.

Vulnerability

This vulnerability is a use-after-free flaw triggered during BDAT body parsing when a client sends a TLS close_notify mid-transfer. An unauthenticated attacker can exploit this memory corruption to execute arbitrary code on the affected server.

Business impact

The exploitation of this vulnerability results in full system compromise, allowing attackers to gain complete control over the mail transfer agent. Given the CVSS score of 9.8, this poses an extreme risk of data exfiltration, service disruption, and potential lateral movement into the internal network.

Remediation

Immediate Action: Upgrade Exim to version 4.99.3 or later immediately to resolve the memory corruption vulnerability.

Proactive Monitoring: Monitor server logs for unusual BDAT traffic patterns and unexpected segmentation faults or crashes in the Exim process.

Compensating Controls: Deploy a Web Application Firewall or intrusion detection system configured to drop malformed TLS chunks or suspicious SMTP traffic patterns.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Organizations running Exim must prioritize patching to version 4.99.3 or above. Given the critical severity and the ease of exploitation, failure to update will leave the infrastructure vulnerable to complete compromise by remote, unauthenticated actors.