CVE-2026-45185 Overview
CVE-2026-45185 is a remotely reachable use-after-free vulnerability in Exim mail transfer agent versions before 4.99.3 when built with certain GnuTLS configurations. The flaw resides in the BDAT body parsing path used during SMTP CHUNKING transfers. An attacker triggers the condition by sending a TLS close_notify mid-body during a CHUNKING transfer, then transmitting a final cleartext byte on the same TCP connection. This sequence causes heap corruption in the Exim process. An unauthenticated network attacker can leverage the corruption to execute arbitrary code on the mail server [CWE-416].
Critical Impact
Unauthenticated remote code execution against internet-facing Exim mail servers with GnuTLS and CHUNKING enabled.
Affected Products
- Exim versions before 4.99.3
- Exim builds linked against GnuTLS in vulnerable configurations
- SMTP services with CHUNKING (BDAT) extension enabled
Discovery Timeline
- 2026-05-12 - CVE-2026-45185 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45185
Vulnerability Analysis
The vulnerability lives in Exim's handling of the SMTP BDAT command, which is part of the CHUNKING extension defined in RFC 3030. CHUNKING allows clients to send message bodies in length-prefixed binary chunks rather than relying on dot-stuffing termination. When the SMTP session is wrapped in TLS using GnuTLS, Exim maintains parallel state for the encrypted transport and the BDAT body parser. The interaction between these two state machines is where the defect occurs.
An attacker who initiates a BDAT transfer over TLS and issues a close_notify alert mid-body causes Exim to tear down TLS-related buffers while the BDAT parser still holds references to memory that is freed during cleanup. A subsequent cleartext byte on the same TCP connection re-enters the body-reading code path, which dereferences and writes through the dangling pointer. The result is heap corruption that an attacker can shape into arbitrary code execution.
Root Cause
The root cause is a lifetime mismatch between TLS session teardown and the BDAT body reader. Exim frees structures tied to the TLS layer when close_notify is processed, but the BDAT state retains pointers into those structures. The condition is classified as a use-after-free [CWE-416] and is reachable without authentication.
Attack Vector
Exploitation requires only network access to an Exim listener that accepts STARTTLS or implicit TLS and advertises CHUNKING. The attacker opens an SMTP session, negotiates TLS, issues MAIL FROM and RCPT TO, begins a BDAT chunk transfer, sends close_notify partway through the chunk, then writes one additional cleartext byte before the TCP connection is closed. No prior credentials, mail relay permissions, or user interaction are required.
The vulnerability is described in prose only because verified proof-of-concept code has not been published in the referenced advisories. See the CVE-2026-45185 Security Notice and the Xbow Blog on CVE-2026-45185 for additional technical context.
Detection Methods for CVE-2026-45185
Indicators of Compromise
- SMTP sessions where a TLS close_notify record is followed by additional cleartext bytes on the same TCP connection before FIN.
- Exim worker process crashes, segmentation faults, or panic log entries referencing BDAT or TLS read paths.
- Unexpected child processes spawned by the Exim daemon, particularly shells or network tools.
- Outbound connections initiated from the Exim process to attacker-controlled hosts immediately after a BDAT transaction.
Detection Strategies
- Inspect Exim mainlog and paniclog for abnormal termination of sessions that used the BDAT verb over TLS.
- Use network sensors to flag SMTP flows that contain a TLS alert record followed by plaintext SMTP bytes on the same 5-tuple.
- Correlate Exim process crash events with preceding SMTP connections from external IP addresses.
Monitoring Recommendations
- Enable verbose SMTP transaction logging including +smtp_protocol_error and +tls_cipher log selectors.
- Forward Exim logs and host process telemetry to a centralized analytics platform for cross-correlation with network telemetry.
- Alert on any execve from the Exim UID that is not an expected delivery transport or queue runner.
How to Mitigate CVE-2026-45185
Immediate Actions Required
- Upgrade Exim to version 4.99.3 or later on all mail relays and edge MTAs.
- Inventory all Exim instances and identify those compiled against GnuTLS, as those are the affected builds.
- Restrict inbound SMTP exposure to known mail peers where operationally feasible until patching is complete.
Patch Information
The Exim project released a fix in version 4.99.3 as documented in the Exim Security Release 2026-05-01. Administrators should apply distribution-provided packages once available or rebuild from upstream sources. Confirm the running binary version with exim -bV after deployment.
Workarounds
- Rebuild Exim against OpenSSL instead of GnuTLS if upgrading is not immediately possible, since the defect is specific to certain GnuTLS configurations.
- Disable the CHUNKING extension by setting chunking_advertise_hosts = to an empty value in exim.conf, which removes the BDAT attack surface.
- Terminate SMTP TLS at an upstream proxy that does not forward raw close_notify semantics to the Exim backend.
# Configuration example: disable CHUNKING advertisement in exim.conf
chunking_advertise_hosts =
# Verify Exim version after patching
exim -bV | head -n 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
