{"id":895,"date":"2026-05-12T18:53:15","date_gmt":"2026-05-12T18:53:15","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=895"},"modified":"2026-05-12T18:53:15","modified_gmt":"2026-05-12T18:53:15","slug":"new-exim-bdat-vulnerability-exposes-gnutls-builds-to-potential-code-execution","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=895","title":{"rendered":"New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>May 12, 2026<\/span><\/span>Vulnerability \/ Email Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution.<\/p>\n

Exim<\/a> is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email.<\/p>\n

The vulnerability, tracked as CVE-2026-45185, aka Dead.Letter, has been described as a use-after-free vulnerability in Exim’s binary data transmission (BDAT) message body parsing when a TLS connection is handled by GnuTLS.<\/p>\n

\u00abThe vulnerability is triggered during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, and then follows up with a final byte in cleartext on the same TCP connection,\u00bb Exim said<\/a> in an advisory released today.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abThis sequence of events can cause Exim to write into a memory buffer that has already been freed during the TLS session teardown, leading to heap corruption. An attacker only needs to be able to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension.\u00bb<\/p>\n

The issue impacts all Exim versions from 4.97 up to and including 4.99.2. That said, it only affects builds that use USE_GNUTLS=yes, meaning builds that rely on other TLS libraries like OpenSSL are not impacted.<\/p>\n

Federico Kirschbaum, head of Security Lab at XBOW, an autonomous cybersecurity testing platform, has been credited with discovering and reporting the flaw on May 1, 2026.<\/p>\n

\u00abDuring TLS shutdown, Exim frees its TLS transfer buffer \u2013 but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (\\n) into the freed region,\u00bb Kirschbaum said<\/a>. \u00abThat one-byte write lands on Exim’s allocator metadata, corrupting the allocator’s internal shape; the exploit then leverages that corruption to gain further primitives.\u00bb<\/p>\n