CVE-2026-45185
Exim · Exim
Exim versions before 4.99.3 contain a use-after-free vulnerability in the BDAT body parsing path, allowing unauthenticated remote code execution via specifically crafted TLS close_notify sequences.
Executive summary
A critical use-after-free vulnerability in Exim allows unauthenticated remote attackers to achieve arbitrary code execution, posing a severe risk to mail infrastructure.
Vulnerability
This vulnerability is a use-after-free flaw triggered during BDAT body parsing when a client sends a TLS close_notify mid-transfer. An unauthenticated attacker can exploit this memory corruption to execute arbitrary code on the affected server.
Business impact
The exploitation of this vulnerability results in full system compromise, allowing attackers to gain complete control over the mail transfer agent. Given the CVSS score of 9.8, this poses an extreme risk of data exfiltration, service disruption, and potential lateral movement into the internal network.
Remediation
Immediate Action: Upgrade Exim to version 4.99.3 or later immediately to resolve the memory corruption vulnerability.
Proactive Monitoring: Monitor server logs for unusual BDAT traffic patterns and unexpected segmentation faults or crashes in the Exim process.
Compensating Controls: Deploy a Web Application Firewall or intrusion detection system configured to drop malformed TLS chunks or suspicious SMTP traffic patterns.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Organizations running Exim must prioritize patching to version 4.99.3 or above. Given the critical severity and the ease of exploitation, failure to update will leave the infrastructure vulnerable to complete compromise by remote, unauthenticated actors.