Exim BDAT Use-After-Free Flaw CVE-2026-45185 Enables Remote Code

Executive Summary

Exim, the widely deployed open-source Mail Transfer Agent (MTA) for Unix-like systems, has released emergency security updates addressing a critical use-after-free vulnerability in its BDAT (Binary Data) chunk handling. Tracked as CVE-2026-45185 and dubbed Dead.Letter, the flaw carries a CVSS score of 9.8 and affects all Exim builds compiled against GnuTLS. An unauthenticated, remote attacker can exploit the vulnerability to trigger memory corruption and potentially achieve arbitrary code execution on the mail server. The Exim development team released version 4.98.1 on May 11, 2026, to remediate the issue. Organizations running Exim with GnuTLS should treat this as a critical priority patch.

Technical Analysis

According to the advisory published by the Exim maintainers, CVE-2026-45185 resides in the BDAT chunk processing logic. BDAT is an extension to SMTP defined in RFC 3030 that allows binary data to be transmitted in chunks, bypassing the need for base64 or quoted-printable encoding. The vulnerability manifests as a use-after-free condition when the MTA processes a specially crafted sequence of BDAT chunks.

Specifically, the flaw occurs during the reassembly of BDAT chunks into the complete message body. Under certain conditions, memory associated with a previously freed chunk is accessed again, leading to heap corruption. An attacker who can connect to the Exim SMTP listener (typically port 25) can send a malicious sequence of BDAT commands to trigger this condition without any authentication. The GnuTLS code path is uniquely affected because of differences in how TLS termination interacts with the chunk reassembly buffer management — the OpenSSL code path is not vulnerable.

Successful exploitation could allow the attacker to overwrite critical data structures in the Exim process heap, potentially leading to arbitrary code execution with the privileges of the Exim daemon (typically the exim user). The Exim team has confirmed that the vulnerability is remotely exploitable and requires no prior access to the server.

Mitigations & Recommendations

System administrators running Exim should immediately upgrade to version 4.98.1 or later, which contains the fix for CVE-2026-45185. The patched version is available from the official Exim website and source repositories.

For organizations unable to patch immediately, the following mitigations may reduce exposure:

• Restrict SMTP access: Limit inbound connections to the SMTP port (25) to known mail relays or trusted IP ranges using firewall rules or TCP wrappers. This does not eliminate the risk from trusted senders but reduces the attack surface.
• Disable BDAT support: If BDAT is not required for your mail flow, it can be disabled by removing the bdat option from the Exim configuration file (/etc/exim/exim.conf). Note that this may break delivery of messages from senders that rely on BDAT.
• Monitor for exploitation attempts: Review SMTP logs for unusual sequences of BDAT commands or repeated connection attempts from the same source. Anomalous patterns may indicate scanning or exploitation attempts.
• Switch to OpenSSL: If feasible, rebuild Exim against OpenSSL instead of GnuTLS. The advisory explicitly states that the OpenSSL code path is not affected. However, this is a significant configuration change that should be tested thoroughly.

Defenders should also monitor for post-exploitation activity such as unexpected outbound connections from the mail server, as a compromised Exim instance could be used as a pivot point for lateral movement.