Critical Exim BDAT GnuTLS Bug Lets Attackers Run Code
Key Takeaways A critical remote code execution (RCE) vulnerability, tracked as EXIM-Security-2026-05-01.1, has been discovered in Exim, a widely used mail transfer agent. The flaw affects Exim...
Key Takeaways
- A critical remote code execution (RCE) vulnerability, tracked as EXIM-Security-2026-05-01.1, has been discovered in Exim, a widely used mail transfer agent.
- The flaw affects Exim versions 4.97 through 4.99.2 when compiled with GnuTLS support, impacting a significant number of active email servers.
- Exploitation requires no authentication or special privileges, making it a severe threat.
- A patch is available in Exim version 4.99.3, and immediate upgrade is strongly recommended.
A severe security vulnerability has been uncovered in Exim, a mail transfer agent (MTA) that plays a crucial role in delivering email across a substantial portion of the internet. Identified as EXIM-Security-2026-05-01.1, this flaw could allow an unauthenticated remote attacker to corrupt server memory, potentially leading to arbitrary code execution. The critical nature of this vulnerability stems from the fact that no special permissions or credentials are necessary for its exploitation.
Table Of Content
Details of the vulnerability were publicly released on May 12, 2026, following a structured responsible disclosure process initiated earlier that month. Full technical insights are detailed in a report by XBOW Security.
The core of the vulnerability resides within Exim’s GnuTLS backend, the component responsible for managing encrypted email communications via TLS. It manifests when a client initiates a BDAT command, which is part of the SMTP protocol’s CHUNKING extension designed for transmitting large email bodies in segmented pieces.
An attacker can trigger this dangerous state by sending a TLS close_notify alert before the full email body transfer is complete. If this is then immediately followed by a single plaintext byte on the same TCP connection, the Exim server enters an unstable condition, making it susceptible to memory corruption and potential code execution. This behavior is documented in the advisory.
The Exim maintainers, under the leadership of Heiko Schlittermann, promptly acknowledged the issue after security researcher Federico Kirschbaum of XBOW Security reported it on May 1, 2026. The development team responded swiftly, preparing a fix in a private repository and providing restricted early access to patches for distributors before the public advisory was issued on May 12, as outlined in the official Exim security advisory.
What makes this vulnerability particularly alarming is its low barrier to exploitation. An attacker does not require any form of authentication, special account, or prior access to the target system. The only prerequisites are the ability to establish a TLS connection to an Exim server and utilize the BDAT extension, both of which are standard features of modern email infrastructure and universally accessible.
New Exim BDAT GnuTLS Vulnerability
Exim is a widely adopted MTA, especially prevalent in Linux-based environments, powering email delivery for a substantial number of internet servers globally. The newly discovered flaw has a broad impact, affecting all Exim builds from version 4.97 through 4.99.2 that were compiled with GnuTLS support. This encompasses a significant portion of active production mail servers, creating a considerable exposure window for system administrators and security teams worldwide.
Technical Details of the Use-After-Free
At its technical core, the vulnerability is a use-after-free condition, a well-known class of memory corruption bug. This occurs when a program attempts to access a memory location that has already been deallocated. In this specific scenario, when an Exim server receives a TLS close_notify alert during an active BDAT session, it initiates the internal teardown of the TLS session. However, the critical flaw lies in the input processing stack not being properly reset at this juncture, leaving behind stale and potentially
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.