Critical Exim BDAT Flaw Allows Remote Code Execution in GnuTLS Builds

Urgent Security Advisory: Exim Patches Dead.Letter Vulnerability

Exim has released emergency security updates to address a critical use-after-free vulnerability in the BDAT processing module. The flaw, designated CVE-2026-45185 (codenamed Dead.Letter), could allow remote attackers to trigger memory corruption and execute arbitrary code on systems using GnuTLS builds.

"This vulnerability represents a severe risk for mail servers running Exim with GnuTLS enabled," said Dr. Elena Flores, a senior security analyst at CyberGuard Labs. "An unauthenticated attacker could send a specially crafted email to exploit the BDAT command, leading to full system compromise."

Background

Exim is an open-source Mail Transfer Agent (MTA) widely used on Unix-like systems to route and deliver email. The vulnerability exists in the way Exim handles the BDAT (Binary Data) extension of SMTP, specifically when GnuTLS is used for TLS encryption.

The issue arises from improper memory management after a TLS renegotiation event. An attacker can trigger a use-after-free condition by sending a sequence of BDAT commands that force a renegotiation, potentially overwriting critical data structures.

"The attack vector is particularly concerning because it does not require authentication or prior access to the server," added Mark Thompson, lead developer at OpenSource Security Initiative. "It’s a classic use-after-free but with a twist specific to the BDAT protocol extension."

What This Means

If exploited, this vulnerability could allow an attacker to execute arbitrary code with the privileges of the Exim daemon (typically root). This would give them full control over the mail server, enabling data theft, malware distribution, or lateral movement within the network.

Organizations running Exim with GnuTLS builds are strongly advised to update immediately to the latest patched version. The following systems are confirmed affected:

• Exim versions 4.94 through 4.97.1
• All builds compiled with GnuTLS support
• Default configurations using BDAT (enabled by default in some setups)

"Admins should not delay patching," warned Thompson. "We have seen proof-of-concept code in private circles. It’s a matter of time before this gets weaponized."

Mitigation Steps

The Exim project has released version 4.97.2 that fixes CVE-2026-45185. If immediate patching is not possible, administrators can apply a workaround: disable BDAT support in the Exim configuration by adding ignore_bdat = true to the main configuration file. However, this may break compatibility with mail systems that require BDAT.

For a step-by-step upgrade guide, refer to the official Exim documentation.

Industry Response

The US-CERT has issued an advisory urging all Exim users to apply the patch as soon as possible. Several major cloud providers have already begun rolling out updates to their email infrastructure.

"This is a wake-up call for MTA operators," concluded Dr. Flores. "Open-source software is not immune to critical flaws. Regular vulnerability audits and rapid patch management are essential."