SB2026051365 - Remote code execution in Exim

Description

This security bulletin contains information about 1 vulnerability.

1) Use-after-free (CVE-ID: CVE-2026-45185)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to use-after-free in Exim's GnuTLS backend when handling BDAT message body transfers after a TLS close_notify alert is received before the transfer is complete. A remote attacker can send a TLS close_notify alert and then a final byte in cleartext on the same TCP connection to execute arbitrary code.

Only builds configured with USE_GNUTLS=yes are vulnerable, and exploitation requires use of the CHUNKING (BDAT) SMTP extension.

Remediation

Install update from vendor's website.

References

• https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/EXIM-Security-2026-05-01.1.txt
• https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim
• https://www.openwall.com/lists/oss-security/2026/05/12/4