CVE-2026-45185

EUVD-2026-29824
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 65%
Affected Products (NVD)
VendorProductVersion
eximexim
4.97 ≤
𝑥
< 4.99.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
exim4
bookworm
4.96-15+deb12u9
fixed
bookworm (security)
4.96-15+deb12u10
fixed
bullseye
vulnerable
bullseye (security)
4.94.2-7+deb11u6
fixed
forky
4.99.4-1
fixed
sid
4.99.4-1
fixed
trixie
4.98.2-1+deb13u2
fixed
trixie (security)
4.98.2-1+deb13u3
fixed
Common Weakness Enumeration
References
https://code.exim.org/exim/wiki/wiki/EximSecurity
https://exim.org
https://exim.org/static/doc/security/CVE-2026-45185.txt
https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/
https://news.ycombinator.com/item?id=48111748
https://www.openwall.com/lists/oss-security/2026/05/12/4
https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim
http://www.openwall.com/lists/oss-security/2026/05/12/25