Critical Exim Mailer Flaw Allows Remote Code Execution

A critical vulnerability has emerged in the widely deployed Exim mail server, enabling unauthenticated attackers to execute arbitrary code. This severe flaw can lead to the full compromise of exposed servers.

Federico Kirschbaum, head of the Security Lab at XBOW, discovered and reported the issue, which has been dubbed Dead.Letter.

The vulnerability carries a massive CVSS severity score of 9.8, making it one of the highest-caliber bugs ever identified in the Exim ecosystem.

Organizations relying on this open-source mail server must take immediate action, as the exploit requires no special configuration and can be triggered silently without any user interaction.

Exim RCE Flaw Disclosed

The technical foundation of this exploit lies in a severe use-after-free memory corruption flaw tracked as CVE-2026-45185.

According to security advisories from Exim and independent analysis by CyCognito, the vulnerability resides specifically in the binary data transmission message body parsing logic when the GnuTLS library handles a TLS connection.

Threat actors can trigger the flaw by manipulating the connection sequence during an active transfer.

When an attacker sends a standard Transport Layer Security close notification alert before the binary data transfer is complete, and then immediately follows up with a final cleartext byte on the same TCP connection, the mail server becomes confused.

This precise sequence of events forces Exim to write into an internal memory buffer that had already been freed during the standard session teardown process.

By intentionally misdirecting a single byte of data, attackers can corrupt the memory allocator’s internal structure.

As XBOW researchers highlighted in their technical disclosure, this single-byte heap corruption is entirely sufficient to escalate privileges and achieve unauthenticated remote code execution.

Security experts emphasize that the attack only requires the ability to establish a secure connection and to use the standard SMTP chunking extension, both of which are enabled by default on modern deployments.

Despite the critical nature of the Dead. Letter vulnerability, the exposure is relatively specific to certain underlying infrastructure choices.

The Hacker News reports that the issue affects only Exim versions 4.97 through 4.99.2 when compiled with the GnuTLS library.

Builds that rely on alternative libraries, such as OpenSSL, remain entirely unaffected by this attack vector.

Consequently, the threat is highly concentrated on Debian, Ubuntu, and Debian-derived Linux distributions that ship the vulnerable packages by default. At the same time, systems like Red Hat Enterprise Linux are generally safe.

System administrators cannot rely on simple workarounds to mitigate this threat. The Exim development team has officially addressed the memory handling flaw in version 4.99.3, and security platforms universally advise upgrading immediately.

Because there are no viable configuration changes that completely resolve the vulnerability without breaking functionality, patching remains the only definitive defense.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.