Skip to main content
Mallory
Back to vulnerabilities
Critical3 public exploits

Dead.Letter

CVE-2026-45185CWE-416· Use After Free

CVE-2026-45185 ("Dead.Letter") is a remotely reachable use-after-free vulnerability in Exim’s BDAT body parsing path when Exim is built with GnuTLS support. It affects Exim versions 4.97 through 4.99.2 (i.e., before 4.99.3) in configurations where SMTP CHUNKING/BDAT is in use, typically alongside STARTTLS/TLS handling via GnuTLS. The flaw is triggered when a client sends a TLS close_notify during an in-progress BDAT body transfer and then sends a final cleartext byte on the same TCP connection. In the vulnerable state transition, Exim tears down the TLS session and frees the TLS transfer buffer, but nested BDAT receive wrappers can still reference the stale lower-layer TLS callbacks and invoke ungetc()-style logic against freed memory. This results in a write into freed heap memory and consequent heap corruption, with reported potential for unauthenticated remote code execution. OpenSSL-based Exim builds are not affected.

Share:
Stay ahead

Get ahead of vulnerabilities like this

Mallory continuously monitors global threat intelligence and correlates it with your attack surface — so you know if you’re exposed before adversaries strike.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. For analysts and engineers who need to decide and keep moving.

Impact

What an attacker gets — and what they’ve been doing with it.

Successful exploitation can corrupt heap memory and may allow unauthenticated remote code execution in the Exim process. Depending on the privileges and role of the Exim service on the target host, this can expose email contents and metadata, permit execution of attacker-controlled commands, disrupt mail handling, and provide a foothold for further post-exploitation activity or lateral movement. The published CVSS context indicates high impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

The Exim advisory states that there is no complete mitigation other than upgrading. Where immediate patching is not possible, reducing exposure by disabling advertisement/use of the CHUNKING capability (for example via chunking_advertise_hosts) may reduce exploitability because the bug is in the BDAT/CHUNKING path. Using non-GnuTLS builds such as OpenSSL-based Exim is not affected, but changing TLS backend may not be practical as an emergency control. Restricting network exposure to trusted SMTP peers may also reduce risk, but these are compensating controls only, not a fix.

Remediation

Patch, then assume compromise.

Upgrade Exim to version 4.99.3 or later. The fix released by the Exim maintainers resets the input-processing stack when a TLS close notification is received during an active BDAT transfer and prevents stale pointers/callbacks from being used after TLS shutdown. Systems running affected packaged builds should apply the vendor or distribution security update as soon as it is available.
PUBLIC EXPLOITS

Exploits

No valid public exploits — Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 3 TOTALView all

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
EximEximapplication

Vendor-confirmed product mapping. Mallory continuously reconciles against your asset inventory in the product.

ACTIVITY FEED

Recent activity

85 sources tracked across advisories, community write-ups, and news. Mallory keeps watching after this page renders.

85 SOURCESView all
nuclei templates pull requestsNews
May 19, 2026
Add CVE-2026-45185 template for Exim STARTTLS BDAT response check by MJ-bin · Pull Request #16213 · projectdiscovery/nuclei-templates · GitHub

Unknown

Read more
hiveproNews
May 15, 2026
The Machine Found It First. The Machine Will Exploit It Next. | Hive Pro

A critical unauthenticated, wormable use-after-free vulnerability in the Exim mail transfer agent’s BDAT body parsing path during GnuTLS shutdown, described as leading to remote code execution.

Read more
scworldNews
May 14, 2026
Critical Exim vulnerability allows remote code execution | brief | SC Media

A critical unauthenticated remote code execution vulnerability in certain Exim configurations caused by a use-after-free during TLS shutdown when handling chunked SMTP traffic.

Read more
thecyberexpress com vulnerabilitiesNews
May 14, 2026
Exim BDAT Vulnerability Patch Released For CVE-2026

A critical remote use-after-free vulnerability in Exim's handling of BDAT SMTP transfers over GnuTLS-enabled TLS sessions. It can cause memory corruption and potentially remote code execution when a TLS close_notify occurs during an active BDAT transfer and data continues on the same connection.

Read more
+2 more in the timeline from May 12, 2026 – May 13, 2026
cvefeed high severityNews
May 12, 2026
CVE-2026-45185 - Exim GnuTLS Use-After-Free Remote Code Execution Vulnerability

A remotely reachable use-after-free vulnerability in Exim before 4.99.3 under certain GnuTLS configurations, in the BDAT body parsing path, that can lead to heap corruption and unauthenticated remote code execution.

Read more
hackernews breachNews
May 12, 2026
Dead.Letter (CVE-2026-45185) - How XBOW found an unauthenticated RCE on Exim | Hacker News

An unauthenticated remote code execution vulnerability affecting Exim, referred to as Dead.Letter.

Read more
opennetNews
May 1, 2026
���������� � Exim, ����������� ���̣��� ��������� ��� �� �������

A use-after-free vulnerability in Exim affecting versions 4.97+ built with GnuTLS, potentially leading to remote code execution or crash conditions via crafted SMTP/TLS interactions involving CHUNKING/BDAT and TLS close_notify.

Read more
xbow blogNews
Jan 5, 2026
XBOW - Dead.Letter (CVE-2026-45185) How XBOW Found an Unauthenticated RCE on Exim

A use-after-free vulnerability in Exim's GnuTLS-backed STARTTLS/BDAT handling that can corrupt allocator metadata and be escalated to remote code execution. The issue is significant because it reportedly requires little special server configuration and affects widely deployed Exim setups using GnuTLS.

Read more
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules — auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity74

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
NVD
nvd.nist.gov/vuln/detail/CVE-2026-45185
openwall.com
openwall.com/lists/oss-security/2026/05/12/25
code.exim.org
code.exim.org/exim/wiki/wiki/EximSecurity
exim.org
exim.org
exim.org
exim.org/static/doc/security/CVE-2026-45185.txt
exim.org
exim.org/static/doc/security/EXIM-Security-2026-05-01.1
news.ycombinator.com
news.ycombinator.com/item?id=48111748
openwall.com
openwall.com/lists/oss-security/2026/05/12/4
xbow.com
xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim