CVE-2026-45185

EUVD-2026-29824
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mitreCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
eximexim
4.97 ≤
𝑥
< 4.99.3
CNA
Debian logo
Debian Releases
Debian Product
Codename
exim4
bookworm
vulnerable
bookworm (security)
4.96-15+deb12u9
fixed
bullseye
vulnerable
bullseye (security)
4.94.2-7+deb11u5
fixed
forky
vulnerable
sid
vulnerable
trixie
vulnerable
trixie (security)
4.98.2-1+deb13u2
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://code.exim.org/exim/wiki/wiki/EximSecurity
https://exim.org
https://exim.org/static/doc/security/CVE-2026-45185.txt
https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/
https://news.ycombinator.com/item?id=48111748
https://www.openwall.com/lists/oss-security/2026/05/12/4
https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim