Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Medtronic Confirms Data Breach, Corporate IT Systems Compromised
July 2, 2026
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Home/Threats/Critical Exim BDAT GnuTLS Bug Lets Attackers Run Code
Threats

Critical Exim BDAT GnuTLS Bug Lets Attackers Run Code

Key Takeaways A critical remote code execution (RCE) vulnerability, tracked as EXIM-Security-2026-05-01.1, has been discovered in Exim, a widely used mail transfer agent. The flaw affects Exim...

Jennifer sherman
Jennifer sherman
May 13, 2026 3 Min Read
50 0

Key Takeaways

  • A critical remote code execution (RCE) vulnerability, tracked as EXIM-Security-2026-05-01.1, has been discovered in Exim, a widely used mail transfer agent.
  • The flaw affects Exim versions 4.97 through 4.99.2 when compiled with GnuTLS support, impacting a significant number of active email servers.
  • Exploitation requires no authentication or special privileges, making it a severe threat.
  • A patch is available in Exim version 4.99.3, and immediate upgrade is strongly recommended.

A severe security vulnerability has been uncovered in Exim, a mail transfer agent (MTA) that plays a crucial role in delivering email across a substantial portion of the internet. Identified as EXIM-Security-2026-05-01.1, this flaw could allow an unauthenticated remote attacker to corrupt server memory, potentially leading to arbitrary code execution. The critical nature of this vulnerability stems from the fact that no special permissions or credentials are necessary for its exploitation.

Table Of Content

  • Key Takeaways
  • New Exim BDAT GnuTLS Vulnerability
  • Technical Details of the Use-After-Free

Details of the vulnerability were publicly released on May 12, 2026, following a structured responsible disclosure process initiated earlier that month. Full technical insights are detailed in a report by XBOW Security.

The core of the vulnerability resides within Exim’s GnuTLS backend, the component responsible for managing encrypted email communications via TLS. It manifests when a client initiates a BDAT command, which is part of the SMTP protocol’s CHUNKING extension designed for transmitting large email bodies in segmented pieces.

An attacker can trigger this dangerous state by sending a TLS close_notify alert before the full email body transfer is complete. If this is then immediately followed by a single plaintext byte on the same TCP connection, the Exim server enters an unstable condition, making it susceptible to memory corruption and potential code execution. This behavior is documented in the advisory.

The Exim maintainers, under the leadership of Heiko Schlittermann, promptly acknowledged the issue after security researcher Federico Kirschbaum of XBOW Security reported it on May 1, 2026. The development team responded swiftly, preparing a fix in a private repository and providing restricted early access to patches for distributors before the public advisory was issued on May 12, as outlined in the official Exim security advisory.

What makes this vulnerability particularly alarming is its low barrier to exploitation. An attacker does not require any form of authentication, special account, or prior access to the target system. The only prerequisites are the ability to establish a TLS connection to an Exim server and utilize the BDAT extension, both of which are standard features of modern email infrastructure and universally accessible.

New Exim BDAT GnuTLS Vulnerability

Exim is a widely adopted MTA, especially prevalent in Linux-based environments, powering email delivery for a substantial number of internet servers globally. The newly discovered flaw has a broad impact, affecting all Exim builds from version 4.97 through 4.99.2 that were compiled with GnuTLS support. This encompasses a significant portion of active production mail servers, creating a considerable exposure window for system administrators and security teams worldwide.

Technical Details of the Use-After-Free

At its technical core, the vulnerability is a use-after-free condition, a well-known class of memory corruption bug. This occurs when a program attempts to access a memory location that has already been deallocated. In this specific scenario, when an Exim server receives a TLS close_notify alert during an active BDAT session, it initiates the internal teardown of the TLS session. However, the critical flaw lies in the input processing stack not being properly reset at this juncture, leaving behind stale and potentially

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackPatchSecurityVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Google Boosts Android Security with New AI-Powered Protections

Next Post

iOS 26.5 Update Enables Encrypted RCS Messaging for iPhone-Android

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Alleged Scattered Spider Member Extradited to US for 100+ Network Hacks
July 2, 2026
CISA Warns of Exploited SimpleHelp Authentication Bypass Vulnerability
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us