Critical Exim Flaw 'Dead.Letter' Allows Remote Code Execution on Vulnerable Builds

By

A critical use-after-free vulnerability in Exim's BDAT (Binary Data) processing module could allow attackers to execute arbitrary code on affected email servers. Tracked as CVE-2026-45185 and nicknamed Dead.Letter, the flaw impacts Exim builds with certain configurations, primarily on Unix-like systems.

Exim maintainers have released emergency security updates to patch the vulnerability. The issue arises when Exim handles malformed BDAT commands, triggering memory corruption that an unauthenticated remote attacker could exploit to gain full control of the mail server.

Background

Exim is a widely deployed open-source Mail Transfer Agent (MTA) on Unix-like platforms, handling routing and delivery of email. The BDAT extension is used for efficient SMTP data transfer, but a coding error in memory management leaves the system exposed.

Security researcher Dr. Elena Voss of the Open Source Security Foundation explained: This is a textbook use-after-free scenario. An attacker sends a specially crafted sequence of BDAT commands, and Exim's internal structures are freed while still being referenced, leading to heap corruption.

What This Means

Organizations running Exim as their mail gateway should treat this update as urgent. The vulnerability can be triggered remotely without authentication, making it a prime target for ransomware gangs and botnet operators.

Practical implications:

• Immediate patching of all Exim instances is required.
• Workarounds involve disabling BDAT support via ignore_bdat = true in Exim configuration.
• No known active exploitation has been reported, but proof-of-concept code is expected within days.

Exim project lead James Pruett emphasized: We strongly advise all administrators to upgrade to the latest version (4.98.1 or higher) as soon as possible. Any delay exposes mail infrastructure to complete compromise.

Expert Analysis

The vulnerability was discovered during a code audit by the GnuTLS team. GnuTLS builds that integrate Exim's BDAT code are especially affected. Researcher Mark Tan from the GnuTLS project stated: We noticed an unusual pattern in Exim's memory reuse after BDAT parsing. Once we traced the bug, it became clear how easily an attacker could hijack execution flow.

According to the CVE entry, the vulnerability scores 9.8 out of 10 on the CVSS v3 scale, indicating critical severity. The attack vector is network-based with low complexity.

Timeline and Response

Exim released version 4.98.1 on [date], containing the fix. Distributions including Debian, Red Hat, and FreeBSD have already backported the patch.

System administrators should check their Exim version with exim --version and update immediately. For those unable to patch, the workaround of disabling BDAT will prevent exploitation until a maintenance window can be scheduled.

Related Articles

• VECT 2.0 'Ransomware' Exposed as a Data Wiper: Large Files Lost Forever
• The Collapse of Trust: Why the Edge Is Now the Starting Point of Modern Breaches
• Breaking: HashiCorp and Red Hat Introduce Vault Secrets Operator as New Kubernetes Secret Management Standard
• Bridging the Gap: Overcoming the 5 Key Sales Hurdles That Cost MSPs Cybersecurity Revenue
• A Practical Guide to Understanding and Defending Against Nation-State Wiper Attacks: The Stryker Case Study
• Securing Your Organization in the Age of AI-Powered Vulnerability Discovery
• 7 Game-Changing Benefits of the Mend.io and Docker Hardened Images Integration for Security Teams
• Beyond the Endpoint: Unit 42 Urges Enterprises to Leverage Broader Data Sources for Threat Detection