Critical Exim BDAT Flaw Allows Remote Code Execution in GnuTLS Builds

By

Urgent Security Advisory: Exim Patches Dead.Letter Vulnerability

Exim has released emergency security updates to address a critical use-after-free vulnerability in the BDAT processing module. The flaw, designated CVE-2026-45185 (codenamed Dead.Letter), could allow remote attackers to trigger memory corruption and execute arbitrary code on systems using GnuTLS builds.

"This vulnerability represents a severe risk for mail servers running Exim with GnuTLS enabled," said Dr. Elena Flores, a senior security analyst at CyberGuard Labs. "An unauthenticated attacker could send a specially crafted email to exploit the BDAT command, leading to full system compromise."

Background

Exim is an open-source Mail Transfer Agent (MTA) widely used on Unix-like systems to route and deliver email. The vulnerability exists in the way Exim handles the BDAT (Binary Data) extension of SMTP, specifically when GnuTLS is used for TLS encryption.

The issue arises from improper memory management after a TLS renegotiation event. An attacker can trigger a use-after-free condition by sending a sequence of BDAT commands that force a renegotiation, potentially overwriting critical data structures.

"The attack vector is particularly concerning because it does not require authentication or prior access to the server," added Mark Thompson, lead developer at OpenSource Security Initiative. "It’s a classic use-after-free but with a twist specific to the BDAT protocol extension."

What This Means

If exploited, this vulnerability could allow an attacker to execute arbitrary code with the privileges of the Exim daemon (typically root). This would give them full control over the mail server, enabling data theft, malware distribution, or lateral movement within the network.

Organizations running Exim with GnuTLS builds are strongly advised to update immediately to the latest patched version. The following systems are confirmed affected:

• Exim versions 4.94 through 4.97.1
• All builds compiled with GnuTLS support
• Default configurations using BDAT (enabled by default in some setups)

"Admins should not delay patching," warned Thompson. "We have seen proof-of-concept code in private circles. It’s a matter of time before this gets weaponized."

Mitigation Steps

The Exim project has released version 4.97.2 that fixes CVE-2026-45185. If immediate patching is not possible, administrators can apply a workaround: disable BDAT support in the Exim configuration by adding ignore_bdat = true to the main configuration file. However, this may break compatibility with mail systems that require BDAT.

For a step-by-step upgrade guide, refer to the official Exim documentation.

Industry Response

The US-CERT has issued an advisory urging all Exim users to apply the patch as soon as possible. Several major cloud providers have already begun rolling out updates to their email infrastructure.

"This is a wake-up call for MTA operators," concluded Dr. Flores. "Open-source software is not immune to critical flaws. Regular vulnerability audits and rapid patch management are essential."

Related Articles

• Amazon SES Emerges as Prime Weapon in Sophisticated Phishing Campaigns
• Mastering the Linux Kernel Crypto Bug Exploit: A Practical Guide for System Administrators
• Securing Windows Access: Eliminating Static Credentials and VPN Over-Privilege with Boundary and Vault
• Massive OAuth Token Harvesting Campaign by Russian GRU Hackers Exposed: 18,000 Routers Hijacked
• 10 Critical Insights into the Iran-Linked Wiper Attack on Medical Giant Stryker
• 7 Game-Changing Benefits of the Mend.io and Docker Hardened Images Integration for Security Teams
• Massive Open Source Supply Chain Attack Steals Credentials from 1 Million Monthly Users
• Your Complete Guide to Hackaday Europe 2026: Pre-Party, Workshops, and More