Exim, the widely used open-source Mail Transfer Agent (MTA), has issued urgent security patches to address a critical vulnerability that could allow attackers to trigger memory corruption and potentially execute arbitrary code. The flaw, identified as CVE-2026-45185 and nicknamed “Dead.Letter”, is a use-after-free issue specific to certain configurations involving GnuTLS. This article breaks down the vulnerability, its impact, and the necessary steps to secure your mail servers.
Overview of Exim and Its Role in Email Infrastructure
Exim is a high-performance, open-source MTA designed for Unix-like systems. It handles the routing, delivery, and reception of email messages, making it a backbone component for many internet service providers, organizations, and email hosting platforms. Given its widespread deployment, any security flaw in Exim can have far-reaching consequences, potentially exposing sensitive communications and compromising server integrity.
The Vulnerability: CVE-2026-45185 (Dead.Letter)
Technical Details: Use-After-Free in BDAT Handling
The vulnerability resides in Exim's handling of the BDAT (Binary Data) command, which is used for transporting chunked binary content in SMTP (Simple Mail Transfer Protocol). Under specific build conditions—particularly when Exim is compiled with GnuTLS for TLS support—a use-after-free condition can occur. A use-after-free bug means that the software continues to use a memory pointer after the memory has been freed, allowing an attacker to manipulate the freed memory and inject malicious data. This can lead to memory corruption and, in carefully crafted attacks, remote code execution.
The flaw is tracked as CVE-2026-45185 and has been labeled “Dead.Letter” by researchers. It affects Exim versions prior to the latest security release, but only those configurations that enable GnuTLS and process BDAT commands. Systems using OpenSSL or other TLS libraries are not directly impacted by this specific vector.
Affected Versions and Configurations
The vulnerability impacts Exim installations that meet all of the following criteria:
- Exim version: All versions up to and including 4.96.2 (the fixed version is 4.96.3 or later).
- TLS library: Compiled with GnuTLS (not OpenSSL).
- Feature usage: The server accepts BDAT commands, which is common in modern SMTP servers.
Administrators can verify their Exim build configuration by checking the compile-time flags. If SUPPORT_TLS is set and USE_GNUTLS is defined, the server is potentially vulnerable. Additionally, the chunking option must be enabled in the Exim configuration file (exim.conf) to accept BDAT.
Potential Impact: From Memory Corruption to Code Execution
A successful exploit of CVE-2026-45185 could allow an unauthenticated remote attacker to:
- Trigger memory corruption, leading to crashes (denial of service).
- Execute arbitrary code with the privileges of the Exim process (typically a low-privileged user like mail or nobody).
- Escalate privileges if combined with other vulnerabilities or misconfigurations.
- Potentially compromise the entire mail server, leading to data breaches or further network attacks.
The use-after-free nature makes the vulnerability particularly dangerous because it is a common precursor to remote code execution. The CVSSv3 score for CVE-2026-45185 is estimated at 9.8 (Critical), indicating the severity and ease of exploitation.
Mitigation and Recommendations
Exim has released version 4.96.3 that patches the vulnerability. The most effective mitigation is to upgrade immediately. Administrators should:
- Upgrade Exim to the latest patched version. Most package managers (e.g., apt, yum) will have the updated package available. For custom builds, download the source from the official Exim website and recompile.
- Verify the fix by checking the changelog or confirming the version number.
- Consider temporary workarounds if immediate patching is not possible:
- Disable BDAT command by adding
ignore_bdat = truein the Exim configuration. Warning: This may prevent delivery of chunked binary emails, but it eliminates the attack vector. - Switch from GnuTLS to OpenSSL if supported by your OS and infrastructure. However, this requires recompilation and thorough testing.
- Disable BDAT command by adding
- Monitor logs for unusual activity related to BDAT or memory errors.
Conclusion
The Dead.Letter vulnerability (CVE-2026-45185) is a stark reminder of the risks inherent in complex MTA software. Exim’s role as a core email component makes it a prime target for attackers seeking to infiltrate networks or intercept communications. With a critical CVSS score and demonstrated potential for remote code execution, every Exim administrator running GnuTLS builds should treat this patch as urgent.
By upgrading to Exim 4.96.3 and reviewing configuration options, you can close the door on this dangerous attack vector. For detailed guidance, refer to the official Exim Security Advisory and consult your distribution’s documentation.