Description
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
Published: 2026-05-12
Score: 9.8 Critical
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Exim before 4.99.3 contains a remotely reachable use‑after‑free flaw in the BDAT body parsing path. When a client sends a TLS close_notify mid‑body during a CHUNKING transfer and follows it with a cleartext byte on the same TCP connection, the parser can access freed memory, causing heap corruption. An attacker can exploit this corruption to execute arbitrary code on the host running Exim, potentially with the permissions of the Exim process.

Affected Systems

The vulnerability affects the Exim mail transfer agent, including all versions prior to 4.99.3. No specific sub‑versions or third‑party libraries are listed beyond the generic GnuTLS configuration requirement.

Risk and Exploitability

The EPSS score of 1% indicates that the likelihood of exploitation is low but nonzero. The vulnerability is not listed in the CISA KEV catalog. The bug’s nature – a use‑after‑free leading to arbitrary code execution – results in a CVSS score of 9.8, reflecting extreme severity. This high score indicates a high likelihood of exploitation by an unauthenticated network attacker able to send crafted TLS frames to the Exim service. The attack vector requires network access only; no local or authenticated privilege escalation steps are needed, making the risk significant for exposed mail servers.

Generated by OpenCVE AI on June 18, 2026 at 14:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Exim to version 4.99.3 or later, which removes the use‑after‑free flaw.
  • If an upgrade cannot be performed immediately, reconfigure Exim to disable BDAT support or enforce strict TLS handling that rejects mid‑body close_notify frames.
  • If neither upgrading nor disabling BDAT is feasible, apply a firewall rule to block or redirect malformed TLS close_notify frames sent mid‑body, or isolate the Exim service behind a hardened reverse proxy that validates TLS streams.

Generated by OpenCVE AI on June 18, 2026 at 14:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Remote Use‑After‑Free in Exim Enables Arbitrary Code Execution

Wed, 17 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
Title Remote Use‑After‑Free in Exim Enables Arbitrary Code Execution

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Leading to Remote Code Execution in BDAT Parsing of Exim

Wed, 13 May 2026 15:45:00 +0000

Type Values Removed Values Added
References

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Leading to Remote Code Execution in BDAT Parsing of Exim

Tue, 12 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Exim
Exim exim
Weaknesses CWE-416
CPEs cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*
Vendors & Products Exim
Exim exim
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
References

Subscriptions

Exim Exim
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T03:55:55.967Z

Reserved: 2026-05-10T00:00:00.000Z

Link: CVE-2026-45185

cve-icon Vulnrichment

Updated: 2026-05-13T01:36:58.116Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T20:16:46.137

Modified: 2026-06-17T10:51:45.380

Link: CVE-2026-45185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:30:15Z

Weaknesses