What Happened
Researchers at XBOW disclosed CVE-2026-45185, a critical use-after-free vulnerability in the Exim mail transfer agent, on May 12, 2026. The flaw is nicknamed Dead.Letter and affects all Exim builds compiled with GnuTLS — covering versions 4.97 through 4.99.2 inclusive. Exim builds using OpenSSL as the TLS library are not impacted.
The vulnerability lives in Exim’s BDAT (binary data) message body handling path. When a client initiates a BDAT data transfer over a TLS connection and then sends a TLS close_notify alert before the transfer completes — followed by one final byte delivered in cleartext on the same TCP connection — Exim writes into a heap buffer it has already freed during TLS session teardown. The result is heap corruption that an attacker with control of the SMTP connection sequence can turn into arbitrary code execution.
An attacker only needs to establish a TLS connection to the SMTP port and use the CHUNKING SMTP extension (BDAT). No credentials are required. Federico Kirschbaum of XBOW discovered and reported the flaw on May 1, 2026. XBOW described it as “one of the highest-caliber bugs” found in Exim, noting it requires almost no special server configuration to trigger. Exim 4.99.3 addresses the issue.
Why This Matters for Canadian Organizations
Exim is one of the most widely deployed mail transfer agents on Linux and BSD systems worldwide. It ships as the default MTA on Debian and Ubuntu — two of the most common server operating systems used by Canadian hosting providers, managed service providers, educational institutions, and open-source infrastructure operators.
An unauthenticated RCE on an internet-facing mail server is a highest-severity incident. Attackers who exploit Dead.Letter gain code execution in the Exim process context, which typically runs with elevated privileges on the host. From there, lateral movement, credential theft, and ransomware deployment are all within reach.
Canadian hosting providers and MSPs running shared mail infrastructure face the widest exposure. A single unpatched Exim instance serving hundreds of client domains becomes a multi-tenant breach scenario. For organizations subject to PIPEDA or provincial privacy law, a mail server compromise is also a reportable breach if email content or personal data is accessible.
CISA has not yet added CVE-2026-45185 to the Known Exploited Vulnerabilities catalog as of May 13, but the low exploitation barrier makes this a priority patch regardless of active-exploitation status. Canadian security teams should treat the absence of a KEV listing as a timing gap, not a severity signal.
What to Do
Upgrade to Exim 4.99.3 immediately on all servers compiled with GnuTLS. Run exim --version to confirm your TLS library. If your distribution has not yet shipped 4.99.3, disable the CHUNKING SMTP extension as a temporary mitigation by adding chunking_advertise_hosts = (empty) to your Exim configuration, which prevents BDAT from being offered to connecting clients.
Audit all internet-facing Exim instances in your environment, including those managed by third-party hosting and MSP partners. Confirm patching timelines with vendors who manage mail infrastructure on your behalf.
Review SMTP access logs for anomalous BDAT sequences, unexpected TLS teardown patterns, or connections that initiate chunked transfer and terminate abruptly. These signatures align with Dead.Letter exploitation attempts.
Source: The Hacker News
