Exim, a widely-used open-source Mail Transfer Agent (MTA) for Unix-like systems, has released critical security updates to address a severe vulnerability that could lead to memory corruption and potential remote code execution. This newly patched flaw, designated CVE-2026-45185 and nicknamed “Dead.Letter,” impacts specific configurations of the email server software.
The vulnerability was discovered and reported by Federico Kirschbaum, head of Security Lab at XBOW, an autonomous cybersecurity testing platform, on May 1, 2026. Exim has acknowledged the severity of the issue and urges all users to update their systems promptly to mitigate the risk.
Exim Addresses Critical Dead.Letter Vulnerability
The Dead.Letter vulnerability (CVE-2026-45185) resides in Exim’s handling of the Binary Data Transmission (BDAT) SMTP extension when using the GnuTLS library for Transport Layer Security (TLS) connections. According to Exim’s advisory, the flaw is triggered when a client establishes a TLS connection and then sends a TLS `close_notify` alert before the complete message body transfer is finalized. Following this alert, the client then sends a final byte in cleartext over the same TCP connection.
This specific sequence of events causes Exim to attempt writing data into a memory buffer that has already been freed during the TLS session teardown process. This leads to heap corruption, which can be exploited by an attacker. To trigger the vulnerability, an attacker needs the ability to establish a TLS connection and utilize the BDAT SMTP extension.
“During TLS shutdown, Exim frees its TLS transfer buffer – but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (n) into the freed region,” Kirschbaum explained. “That one-byte write lands on Exim’s allocator metadata, corrupting the allocator’s internal shape; the exploit then leverages that corruption to gain further primitives.”
XBOW has characterized the vulnerability as one of the most significant security concerns identified in Exim to date, noting that its exploitation is relatively straightforward without requiring extensive server configuration changes.
Affected Versions and Mitigation Measures
The vulnerability affects Exim versions ranging from 4.97 up to and including 4.99.2. Importantly, this issue is specific to builds configured with `USE_GNUTLS=yes`. Exim versions that rely on alternative TLS libraries, such as OpenSSL, are not impacted by this particular flaw. Users are strongly advised to verify their build configurations and update accordingly.
Exim has released version 4.99.3 which contains the fix for CVE-2026-45185. The patch works by ensuring that the input processing stack is properly reset when a TLS `close_notify` is received during an active BDAT transfer, thereby preventing the misuse of stale pointers. As of the advisory’s release, no other mitigations are available to address this specific vulnerability.
This incident is not the first time Exim has faced critical security disclosures. In late 2017, the software patched a severe use-after-free vulnerability (CVE-2017-16943), which had a CVSS score of 9.8 and could have allowed unauthenticated attackers to achieve remote code execution through carefully crafted BDAT commands, potentially leading to a complete compromise of the email server.
Looking ahead, system administrators are expected to prioritize immediate upgrades to Exim version 4.99.3 or later to safeguard their email infrastructure. The cybersecurity community will likely monitor for any emergent exploitation attempts and further analysis of the vulnerability’s impact. The swift application of this patch is crucial to maintaining the security and integrity of email communications handled by Exim servers.