https://blog.kalfaoglu.net/tags/rce/Recent content in RCE on kalfaoglu.netHugoenSun, 21 Jun 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-06-21-exim-dead-letter-cve-2026-45185-en/Sun, 21 Jun 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-06-21-exim-dead-letter-cve-2026-45185-en/<p>If you&rsquo;re running Exim on Debian or Ubuntu and haven&rsquo;t patched in the past five weeks, there&rsquo;s a reasonable chance your mail server is remotely exploitable by anyone who can open a TLS connection to port 25. No credentials required. No special tooling. Standard SMTP commands.</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-45185">CVE-2026-45185</a>, nicknamed <strong>Dead.Letter</strong>, is a use-after-free vulnerability in Exim&rsquo;s BDAT message parsing path. CVSS score: 9.8 Critical. Fixed in Exim 4.99.3, released May 12, 2026. If you haven&rsquo;t checked your version since then, now would be a good time.</p>