Dead.Letter: Remote UAF RCE in Exim BDAT/GnuTLS handling
CVE-2026-45185 is a remotely reachable use-after-free vulnerability in Exim’s BDAT body parsing path affecting Exim versions before 4.99.3 when built with GnuTLS. The flaw is triggered during SMTP CHUNKING/BDAT processing if a client sends a TLS close_notify in the middle of a BDAT body transfer and then sends a final cleartext byte on the same TCP connection. In the vulnerable state transition, Exim tears down the TLS session and frees the TLS transfer buffer, but nested BDAT receive wrappers can still reference the stale TLS callbacks and invoke ungetc()-style logic against the freed buffer. This results in a write into freed heap memory and consequent heap corruption. Public reporting indicates the issue affects Exim 4.97 through 4.99.2 with USE_GNUTLS=yes; OpenSSL-backed builds are not affected. The vulnerability is unauthenticated and network-reachable, and available reporting states it can be developed into arbitrary code execution.
Impact, mitigation & remediation
What it means. What to do now. For analysts and engineers who need to decide and keep moving.
Impact
What an attacker gets — and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No valid public exploits — Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.
All candidate exploits were filtered out by Mallory's validation.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles against your asset inventory in the product.
Recent activity
84 sources tracked across advisories, community write-ups, and news. Mallory keeps watching after this page renders.
Unknown
A critical unauthenticated, wormable use-after-free vulnerability in the Exim mail transfer agent’s BDAT body parsing path during GnuTLS shutdown, described as leading to remote code execution.
A critical unauthenticated remote code execution vulnerability in certain Exim configurations caused by a use-after-free during TLS shutdown when handling chunked SMTP traffic.
A critical remote use-after-free vulnerability in Exim's handling of BDAT SMTP transfers over GnuTLS-enabled TLS sessions. It can cause memory corruption and potentially remote code execution when a TLS close_notify occurs during an active BDAT transfer and data continues on the same connection.
A remotely reachable use-after-free vulnerability in Exim before 4.99.3 under certain GnuTLS configurations, in the BDAT body parsing path, that can lead to heap corruption and unauthenticated remote code execution.
An unauthenticated remote code execution vulnerability affecting Exim, referred to as Dead.Letter.
A use-after-free vulnerability in Exim affecting versions 4.97+ built with GnuTLS, potentially leading to remote code execution or crash conditions via crafted SMTP/TLS interactions involving CHUNKING/BDAT and TLS close_notify.
A use-after-free vulnerability in Exim's GnuTLS-backed STARTTLS/BDAT handling that can corrupt allocator metadata and be escalated to remote code execution. The issue is significant because it reportedly requires little special server configuration and affects widely deployed Exim setups using GnuTLS.
See the full picture, correlated to your attack surface.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules — auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.