Advisories 14 May 2026 / 0 Comments

Exim "Dead.Letter" – Unauthenticated RCE via BDAT Use-After-Free in GnuTLS Builds (CVE-2026-45185)

Scope: Exim Versions 4.97 – 4.99.2 (GnuTLS Builds Only – Debian/Ubuntu Default)

Severity: Red

A critical use-after-free vulnerability (CVSS 9.8) in Exim's BDAT message body parsing path, dubbed Dead.Letter and discovered by XBOW researcher Federico Kirschbaum, allows unauthenticated remote attackers to corrupt the heap of any internet-facing Exim mail server by sending a TLS close_notify alert mid-BDAT transfer followed by a single plaintext byte on the same TCP connection — writing a newline into freed allocator metadata and enabling a full heap exploitation chain leading to remote code execution. The flaw is exclusive to GnuTLS-linked builds, which are the default on Debian, Ubuntu, and most Debian-derived distributions; OpenSSL builds are not affected. No configuration workaround exists as organizations must upgrade to Exim 4.99.3 immediately via their distribution's package manager, verify the service has been restarted, and confirm TLS library linkage using exim -bV | grep TLS.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

Exim "Dead.Letter" – Unauthenticated RCE via BDAT Use-After-Free in GnuTLS Builds (CVE-2026-45185)

NGINX Rift – 18-Year-Old Heap Buffer Overflow in Rewrite Module Enables Unauthenticated RCE (CVE-2026-42945)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

Exim "Dead.Letter" – Unauthenticated RCE via BDAT Use-After-Free in GnuTLS Builds (CVE-2026-45185)

RELATED ADVISORIES

NGINX Rift – 18-Year-Old Heap Buffer Overflow in Rewrite Module Enables Unauthenticated RCE (CVE-2026-42945)

Recent Advisories

Categories