Critical Exim BDAT GnuTLS Flaw Vulnerability Enables

A serious security flaw has been identified in Exim, one of the internet’s most widely deployed mail transfer agents. Tracked as EXIM-Security-2026-05-01.1, this vulnerability allows a remote attacker to corrupt server memory and potentially execute malicious code. Significantly, no special privileges or credentials are required for its exploitation.

It was publicly disclosed on May 12, 2026, following a coordinated responsible disclosure process that began in early May.

The flaw sits inside Exim’s GnuTLS backend, the component that handles encrypted email communication over TLS. It is triggered when a client uses the BDAT command, which is part of the CHUNKING extension in the SMTP protocol used to send large email bodies in pieces.

If an attacker sends a TLS close_notify alert before the body transfer finishes, and then follows it up with one final byte in plain text on the same TCP connection, the server enters a dangerous and unstable state.

Exim maintainers, led by Heiko Schlittermann, acknowledged the report and confirmed the issue after receiving it from security researcher Federico Kirschbaum of XBOW Security on May 1, 2026. The team moved quickly, preparing a fix in a private repository and notifying distributors with restricted early access to patches before the public advisory went live on May 12.

What makes this vulnerability especially concerning is how little an attacker actually needs to carry it out successfully. No login, no special account, and no prior access to the target system is required at all. All an attacker needs is the ability to open a TLS connection to an Exim server and use the BDAT extension, both of which are completely standard features of modern email infrastructure available to anyone.

New Exim BDAT GnuTLS Vulnerability

Exim powers email delivery for a significant portion of internet servers around the world, particularly in Linux-based environments. The reach of this flaw is broad, affecting all builds of Exim from version 4.97 through 4.99.2 that were compiled with GnuTLS support. That covers a large share of production mail servers running today, making the exposure window a genuine cause for concern among system administrators and security teams globally.

The technical heart of this vulnerability is a use-after-free condition, a well-known class of memory bug where a program continues to use a memory address after it has already been released. When Exim receives a TLS close_notify alert mid-transfer during an active BDAT session, it begins tearing down the TLS session internally. The problem is that the input processing stack is not properly reset at this point, leaving stale and dangerous memory pointers behind.

When the attacker then sends one more byte in cleartext over the same TCP connection, Exim tries to write data using a pointer that now points to freed memory. This corrupts the heap, the region of memory where the program stores active data and running state. In the right conditions, an attacker can use this corruption to redirect code execution and run their own commands on the server.

It is worth noting that this issue only affects Exim builds compiled with the USE_GNUTLS=yes flag. Servers using OpenSSL or other TLS libraries are not vulnerable to this specific attack path, which narrows the scope but still leaves a large number of systems fully exposed and at risk.

Patch and Recommended Action

The Exim development team released version 4.99.3 on May 12, 2026, which fully resolves the vulnerability. The fix resets the input processing stack cleanly whenever a TLS close notification arrives during an active BDAT transfer, cutting off the entire chain of events that leads to heap corruption.

There is no known workaround or configuration change that can protect a system short of upgrading to the latest release. Server administrators running Exim 4.97 through 4.99.2 with GnuTLS enabled should treat this as an urgent and high-priority update. The patched release is available through the official Exim FTP server and code repository for immediate deployment.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.