Description
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
Published: 2026-05-12
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Exim before 4.99.3 contains a remotely reachable use‑after‑free flaw in the BDAT body parsing path. When a client sends a TLS close_notify mid‑body during a CHUNKING transfer and follows it with a cleartext byte on the same TCP connection, the parser can access freed memory, causing heap corruption. An attacker can exploit this corruption to execute arbitrary code on the host running Exim, potentially with the permissions of the Exim process.

Affected Systems

The vulnerability affects the Exim mail transfer agent, including all versions prior to 4.99.3. No specific sub‑versions or third‑party libraries are listed beyond the generic GnuTLS configuration requirement.

Risk and Exploitability

Although the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the bug’s nature – a use‑after‑free leading to arbitrary code execution – results in a CVSS score of 9.8, reflecting extreme severity. This high score indicates a high likelihood of exploitation by an unauthenticated network attacker able to send crafted TLS frames to the Exim service. The attack vector requires network access only; no local or authenticated privilege escalation steps are needed, making the risk significant for exposed mail servers.

Generated by OpenCVE AI on May 12, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Exim to version 4.99.3 or later, which removes the use‑after‑free flaw.
  • If an upgrade cannot be performed immediately, reconfigure Exim to disable BDAT support or enforce strict TLS handling that rejects mid‑body close_notify frames.
  • Verify and, if possible, update the GnuTLS configuration to a version that does not trigger the bug or consider switching to an alternate TLS library as a temporary precaution.

Generated by OpenCVE AI on May 12, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Leading to Remote Code Execution in BDAT Parsing of Exim

Tue, 12 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Exim
Exim exim
Weaknesses CWE-416
CPEs cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*
Vendors & Products Exim
Exim exim
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
References

Subscriptions

Exim Exim
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-13T01:36:58.116Z

Reserved: 2026-05-10T00:00:00.000Z

Link: CVE-2026-45185

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:46.137

Modified: 2026-05-12T21:16:16.807

Link: CVE-2026-45185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:15:27Z

Weaknesses