Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
The vulnerability occurs in the BDAT message body parsing path (CHUNKING mechanism) with specific GnuTLS configurations. The attacker sends a TLS close_notify signal during message body transfer (in the middle of a chunk), then transmits the final byte as cleartext within the same TCP connection. This unexpected transition leads to use-after-free of a heap memory area, causing heap corruption. The bug can be exploited to hijack control flow and execute arbitrary code.
An unauthenticated network attacker can execute arbitrary code on the server with Exim process privileges, which in practice means complete compromise of the mail server. Possible consequences include data disclosure and modification, malware installation, and use of the server as an entry point for further network infiltration.
Exim must be updated immediately to version 4.99.3 or later. Detailed patch information is available in the official security bulletin at https://exim.org/static/doc/security/CVE-2026-45185.txt and https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/. As a temporary workaround, consider disabling CHUNKING (BDAT) support or switching the TLS library if an immediate update is not possible.
Exim versions prior to 4.99.3 running with GnuTLS configuration (not all TLS configurations are vulnerable — a specific GnuTLS configuration with CHUNKING/BDAT support enabled is required).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExim
APPExim4.97 – 4.99.3 (bez)
Related vulnerabilities
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is...
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in delive...
An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handc...
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attack...
Exim SMTP AUTH — zapis poza buforem umożliwiający zdalne wykonanie kodu