Latest Exim Mail vulnerability: CVE-2026-45185 #
Researchers disclosed that certain versions of Exim are susceptible to a critical remote code execution (RCE) vulnerability caused by a use-after-free (UAF) condition in the BDAT body parsing path. The flaw is specifically triggered when Exim is configured to use GnuTLS, the default TLS library for many Debian-based distributions. The vulnerability occurs when a client sends a TLS close_notify alert mid-body during an SMTP CHUNKING (RFC 3030) transfer, followed by a final cleartext byte on the same TCP connection. This specific sequence leads to heap corruption, which a remote, unauthenticated attacker can leverage to execute arbitrary code on the system. The vulnerability, designated CVE-2026-45185, also known as Dead.Letter, is rated critical with a base CVSS score of 9.8.
The following versions are affected
- Exim: Versions prior to 4.99.3 (when configured with GnuTLS).
What is Exim? #
Exim is an open-source Mail Transfer Agent (MTA) for Unix-like operating systems that manages the routing and delivery of email messages via SMTP using a highly flexible and programmable configuration system.
What is the impact? #
Successful exploitation of the vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code on the affected system.
Are updates or workarounds available? #
Upgrade affected systems to the new versions
- Exim: Upgrade to 4.99.3 or later.
How to find potentially vulnerable systems with runZero #
From the Service inventory, use the following query to locate potentially impacted assets:
product:=exim AND banner:"STARTTLS"
October 2023: CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42119, and CVE-2023-42114 #
On September 27th 2023, Trend Micro's Zero Day Initiative (ZDI) published details of a critical zero-day vulnerability that allows an unauthenticated attacker the ability to remotely execute arbitrary code within the context of an Exim SMTP service account. In addition, ZDI disclosed five additional zero-day vulnerabilities with lower severity rankings:
- CVE-2023-42116: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability (CVSS v3.0 8.1)
- CVE-2023-42117: Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability (CVSS v3.0 8.1)
- CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability (CVSS v3.0 7.5)
- CVE-2023-42119: Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability (CVSS v3.0 3.1)
- CVE-2023-42114: Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability (CVSS v3.0 3.7)
What is Exim Mail? #
Exim mail is an open source, message transfer agent (MTA) that runs on Unix/Linux operating systems. Exim is also the default MTA configured on Debian Linux distributions.
Are updates available? #
Recently, maintainers of the Exim mail server issued a 4.96.1 patch that appears to resolve four of the six vulnerabilities listed above. Although the maintainers are still working to resolve the remaining vulnerabilities, if you are running Exim mail servers on your network, you should apply the security patch immediately.
How do I find potentially vulnerable Exim mail servers with runZero? #
A Shodan search showed nearly 3.5 million Exim servers exposed to the internet. Their accessibility makes these mail transfer agents targets for attackers.
With runZero, you can find Exim mail servers in your inventory with this pre-built query. This query searches for any live asset that has the exim product exposed over SMTP.
product:exim
As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.
