If you’re running Exim on Debian or Ubuntu and haven’t patched in the past five weeks, there’s a reasonable chance your mail server is remotely exploitable by anyone who can open a TLS connection to port 25. No credentials required. No special tooling. Standard SMTP commands.
CVE-2026-45185, nicknamed Dead.Letter, is a use-after-free vulnerability in Exim’s BDAT message parsing path. CVSS score: 9.8 Critical. Fixed in Exim 4.99.3, released May 12, 2026. If you haven’t checked your version since then, now would be a good time.
Who is exposed
The vulnerability only triggers on Exim builds compiled with GnuTLS (USE_GNUTLS=yes). That sounds like a niche condition until you realise that Debian and Ubuntu — the most common base distributions for Linux mail servers — ship Exim with GnuTLS by default. Any Exim version from 4.97 through 4.99.2 on a GnuTLS-linked build is affected. Builds using OpenSSL are not.
To check:
exim4 --version | grep -i tls
If the output mentions GnuTLS, you need to act. If it says OpenSSL, you’re clear on this particular CVE.
cPanel servers using Exim on Debian-derived stacks should also be checked, since the affected code path doesn’t care whether a control panel is sitting in front of it.
How the bug works
The flaw lives in Exim’s handling of BDAT — the CHUNKING SMTP extension that replaces the older DATA command for sending message bodies. During a BDAT transfer over TLS, if a client sends a TLS close_notify alert before the body transfer completes, and then follows up with a single byte in cleartext on the same TCP connection, Exim processes that byte after it has already freed its TLS transfer buffer.
The ungetc() call that handles the stray byte writes one character — a newline — into freed memory. That one byte lands on allocator metadata. From there, Federico Kirschbaum at XBOW, who discovered and reported the flaw on May 1, 2026, demonstrated that the heap corruption can be leveraged into arbitrary code execution. XBOW described it as “one of the highest-caliber bugs” they have found in Exim.
The barrier to exploitation is low. An attacker needs nothing more than the ability to open a TLS connection and use BDAT — both of which are standard capabilities for any SMTP client. No authentication, no existing relationship with the server, no insider access.
The fix
Exim 4.99.3 resets the input processing stack when it receives a TLS close_notify during an active BDAT transfer, eliminating the stale pointer that the previous code path could write into. The fix is surgical and upstream has stated clearly that no configuration-based workaround exists — disabling TLS is not an option, and restricting BDAT at the SMTP level is not a documented mitigation path.
Distribution packages were coordinated with the upstream disclosure on May 12, 2026:
- Debian: Updated exim4 packages are available for stable (Trixie/13), oldstable (Bookworm/12), and oldoldstable (Bullseye/11). Run
apt-get update && apt-get upgrade exim4. - Ubuntu: Security updates for Ubuntu 24.04 LTS and other supported releases are available via the standard repositories.
apt-get update && apt-get upgrade exim4handles it. - cPanel/WHM: If Exim is managed by cPanel, check via WHM → Service Configuration → Exim Configuration Manager and cross-reference the installed version. cPanel typically pushes Exim updates through its own update channel.
Run exim4 --version (or exim --version on non-Debian systems) to confirm your installed version. Anything below 4.99.3 on a GnuTLS build is unpatched.
What this means for kalfaoglu.net customers
Exim is the default MTA on the majority of shared and managed hosting environments, including cPanel stacks. If you’re on a server managed by kalfaoglu.net, the relevant security updates have been reviewed and applied. If you run your own VPS with Exim — particularly a Debian or Ubuntu server — check your version and apply distribution updates if you haven’t already.
If you’re uncertain which mail transfer agent your server uses, or whether your Exim build links against GnuTLS, get in touch. The version check takes thirty seconds and the fix takes a apt-get upgrade.
This one is worth confirming rather than assuming someone else handled it.
Sources: The Hacker News · NVD CVE-2026-45185 · XBOW Technical Write-up · oss-security disclosure · Exim Security Advisory