Critical Exim Flaw (CVE-2023-42173) Lets Remote Attackers Run Code
Key Takeaways A critical use-after-free vulnerability, CVE-2026-45185, has been discovered in the Exim mail server. The flaw allows unauthenticated remote code execution, posing a severe risk of full...
Key Takeaways
- A critical use-after-free vulnerability, CVE-2026-45185, has been discovered in the Exim mail server.
- The flaw allows unauthenticated remote code execution, posing a severe risk of full server compromise.
- It specifically impacts Exim versions 4.97 through 4.99.2 when compiled with the GnuTLS library.
- A patch is available in Exim version 4.99.3, and immediate upgrades are strongly recommended.
A severe security vulnerability has been identified in Exim, a widely utilized open-source mail transfer agent. This critical flaw permits unauthenticated attackers to execute arbitrary code on affected servers, potentially leading to complete system compromise. The discovery highlights a significant risk for organizations relying on this email infrastructure.
Table Of Content
The issue, dubbed “Dead.Letter,” was uncovered and reported by Federico Kirschbaum, who leads the Security Lab at XBOW. Its severity is underscored by a CVSS score of 9.8, placing it among the most critical vulnerabilities ever reported in the Exim software ecosystem.
Exploitation of this flaw requires no specific server configuration and can be triggered without any user interaction, making it particularly dangerous. Organizations operating vulnerable Exim instances are urged to act swiftly to mitigate the threat.
Exim RCE Flaw Detailed
At the core of this exploit is a use-after-free memory corruption flaw, officially tracked as CVE-2026-45185. This vulnerability specifically targets the logic involved in parsing binary data within message bodies when Exim utilizes the GnuTLS library for handling TLS connections, according to security advisories from Exim and independent analysis by CyCognito.
Attackers can trigger the flaw by manipulating the connection sequence during an active data transfer. The exploit sequence involves sending a standard Transport Layer Security close notification alert before the binary data transfer is complete. This is immediately followed by a single cleartext byte transmitted over the same TCP connection. This precise timing and data manipulation cause the mail server to attempt to write data into a memory buffer that has already been deallocated during the normal session teardown process.
By effectively misdirecting this single byte of data, attackers can corrupt the internal structure of the memory allocator. As XBOW researchers detailed in their technical disclosure, this seemingly minor single-byte heap corruption is sufficient to facilitate privilege escalation and achieve unauthenticated remote code execution. Security experts emphasize that successful exploitation only requires the ability to establish a secure connection and to use the standard SMTP chunking extension, both of which are common default configurations in modern Exim deployments.
Affected Systems and Mitigation
Despite the critical nature of the Dead.Letter vulnerability, its impact is somewhat confined to specific infrastructure choices. The Hacker News reports that the flaw exclusively affects Exim versions 4.97 through 4.99.2 when they have been compiled with the GnuTLS library. Exim builds that rely on alternative cryptographic libraries, such as OpenSSL, are not susceptible to this particular attack vector.
Consequently, the risk is highly concentrated on Linux distributions like Debian, Ubuntu, and other Debian-derived systems that typically ship vulnerable Exim packages by default. Conversely, systems such as Red Hat Enterprise Linux are generally considered safe from this specific vulnerability.
System administrators cannot rely on simple configuration changes or workarounds to effectively mitigate this threat. The Exim development team has addressed the memory handling flaw in version 4.99.3. Security platforms and experts universally advise immediate upgrades to this patched version, as it remains the only definitive defense against exploitation without breaking essential functionality.
What You Should Do
- Immediately identify all Exim mail servers within your environment.
- Check the Exim version and confirm if it falls within the affected range (4.97 through 4.99.2).
- Determine if your Exim installation is compiled with the GnuTLS library.
- Upgrade all vulnerable Exim instances to version 4.99.3 or later without delay.
- Monitor your Exim server logs for any unusual activity or connection attempts that may indicate exploitation attempts.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.