CVE-2026-45185: Exim 'Dead.Letter' Use-After-Free - Check Your GnuTLS Builds
Just catching up on the latest release from Exim, and this one looks nasty for anyone still running GnuTLS builds. The vulnerability (CVE-2026-45185), dubbed 'Dead.Letter,' is a use-after-free bug triggered during the handling of BDAT commands.
Because it targets the BDAT implementation specifically in GnuTLS builds, it opens the door for memory corruption and, ultimately, remote code execution. Given Exim's footprint in the Unix ecosystem, this feels like a repeat of the RCE waves from a few years ago, but with a very specific trigger.
If you haven't patched yet, you should verify if your instance is even vulnerable. The bug is specific to the GnuTLS integration, so OpenSSL builds might be in the clear, but you shouldn't rely on that assumption alone.
You can quickly check your build configuration and version with:
exim -bV | grep -E 'Exim version|GnuTLS|Support for'
For those of you managing internal mail relays, are you seeing this in the wild yet? I'm curious if anyone has developed reliable Snort/Suricata rules to catch malformed BDAT chunks before the patching cycle completes, or if we're all just frantically recompiling right now.
We started seeing strange BDAT sequences in our honeypots about 48 hours ago, initially thinking it was just spammer noise. Once the advisory dropped, we correlated the traffic.
For detection, we're currently watching for fragmented BDAT commands that exceed RFC definitions. You can use this basic grep against your mail logs to spot anomalies while you patch:
zgrep -i 'BDAT' /var/log/exim/main.log | awk '{print $NF}' | sort -u
It's not a silver bullet, but it helps identify potential probing attempts.
This is exactly why we migrated our external edge to Postfix years ago, but we still have a few legacy Exim boxes internally for list management that I completely forgot about.
Just checked them, and sure enough, they are running the GnuTLS build. Does anyone know if the standard distro repos (Debian/Ubuntu) have pushed the patched packages yet, or are we forced to compile from source for the moment? I really don't want to maintain a custom MTA build if I can avoid it.
From a pentester's perspective, this is a golden ticket for internal lateral movement if mail relays aren't segregated properly. The use-after-free class is tricky to exploit reliably, but if the PoC drops, script kiddies will be blasting it everywhere.
If you are running Exim, ensure you aren't exposing the management interface (port 587 or 25) to the broader WAN without authentication. A quick Nmap scan to verify your exposure landscape:
nmap -p 25,587 --script smtp-commands
Stay safe out there.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access