{"id":244830,"date":"2026-05-12T12:44:00","date_gmt":"2026-05-12T16:44:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/12\/new-exim-bdat-vulnerability-exposes-gnutls-builds-to-potential-code-execution\/"},"modified":"2026-05-13T01:20:08","modified_gmt":"2026-05-13T05:20:08","slug":"new-exim-bdat-vulnerability-exposes-gnutls-builds-to-potential-code-execution","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/12\/new-exim-bdat-vulnerability-exposes-gnutls-builds-to-potential-code-execution\/","title":{"rendered":"New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution"},"content":{"rendered":"

New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/05\/new-exim-bdat-vulnerability-exposes.html<\/a><\/p>\n

Publish Date: 2026-05-12 12:44:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802May 12, 2026<\/span><\/span>Vulnerability \/ Email Security<\/span><\/p>\n

Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution.<\/p>\n

Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email.<\/p>\n

The vulnerability, tracked as CVE-2026-45185, aka Dead.Letter, has been described as a use-after-free vulnerability in Exim’s binary data transmission (BDAT) message body parsing when a TLS connection is handled by GnuTLS.<\/p>\n

“The vulnerability is triggered during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, and then follows up with a final byte in cleartext on the same TCP connection,” Exim said in an advisory released today.<\/p>\n

“This sequence of events can cause Exim to write into a memory buffer that has already been freed during the TLS session teardown, leading to heap corruption. An attacker only needs to be able to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension.”<\/p>\n

The issue impacts all Exim versions from 4.97 up to and including 4.99.2. That said, it only affects builds that use USE_GNUTLS=yes, meaning builds that rely on other TLS libraries like OpenSSL are not impacted.<\/p>\n

Federico Kirschbaum, head of Security Lab at XBOW, an autonomous cybersecurity testing platform, has been credited with discovering and reporting the flaw on May 1, 2026.<\/p>\n

“During TLS shutdown, Exim frees its TLS transfer buffer \u2013 but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (n) into the freed region,” Kirschbaum said. “That one-byte write lands on Exim’s allocator metadata, corrupting the allocator’s internal shape; the exploit then leverages that corruption to gain further primitives.”<\/p>\n