CRITICAL🇵🇱 Wersja polska

CVE-2026-45185

CVSS 9.8v3.1pub. 2026-05-12upd. 2026-05-28

Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.

🤖 AI Analysis
How it works

The vulnerability occurs in the BDAT message body parsing path (CHUNKING mechanism) with specific GnuTLS configurations. The attacker sends a TLS close_notify signal during message body transfer (in the middle of a chunk), then transmits the final byte as cleartext within the same TCP connection. This unexpected transition leads to use-after-free of a heap memory area, causing heap corruption. The bug can be exploited to hijack control flow and execute arbitrary code.

Impact

An unauthenticated network attacker can execute arbitrary code on the server with Exim process privileges, which in practice means complete compromise of the mail server. Possible consequences include data disclosure and modification, malware installation, and use of the server as an entry point for further network infiltration.

Mitigation & patch

Exim must be updated immediately to version 4.99.3 or later. Detailed patch information is available in the official security bulletin at https://exim.org/static/doc/security/CVE-2026-45185.txt and https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/. As a temporary workaround, consider disabling CHUNKING (BDAT) support or switching the TLS library if an immediate update is not possible.

Who is affected

Exim versions prior to 4.99.3 running with GnuTLS configuration (not all TLS configurations are vulnerable — a specific GnuTLS configuration with CHUNKING/BDAT support enabled is required).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exim

    APP
    Exim
    4.97 – 4.99.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEMemory
CWE
References

Related vulnerabilities

CVE-2019-16928CRITICAL9.8⚠ KEVten sam produkt

Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is...

CVE-2019-10149CRITICAL9.8⚠ KEVten sam produkt

A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in delive...

CVE-2018-6789CRITICAL9.8⚠ KEVten sam produkt

An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handc...

CVE-2010-4344CRITICAL9.8⚠ KEVten sam produkt

Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attack...

CVE-2023-42115CRITICAL9.8PL ✓ten sam produkt

Exim SMTP AUTH — zapis poza buforem umożliwiający zdalne wykonanie kodu