CVE-2026-45185
EPSS 0.1%Researcher PoC published, active scanning interest, but no KEV-listing or confirmed production impact yet.
What: Use-after-free in Exim <4.99.3 BDAT body parsing under GnuTLS, triggered by TLS close_notify mid-transfer; unauthenticated RCE via heap corruption.
Why it matters: Published 1 day ago; social chatter highlights active researcher interest (XBOW team publicizing discovery). No KEV-listing yet but NVD confirms unauthenticated RCE. Heavy FOFA scanning signal (6M+ instances tracked). Exim is widely deployed in mail infrastructure; patch availability status unclear from posts.
Where it's seen: FOFA threat-intel alerts, Dead Letter research blog posts, Hacker News discussion, security researcher commentary on RCE discovery mechanics. No confirmed in-the-wild exploitation or defender triage reports visible yet.
RISK: HIGH — Unauthenticated RCE in mail server affecting millions of exposed instances; patch unknown.
Description
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
References
- https://code.exim.org/exim/wiki/wiki/EximSecurity
- https://exim.org
- https://exim.org/static/doc/security/CVE-2026-45185.txt
- https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/
- https://news.ycombinator.com/item?id=48111748
- https://www.openwall.com/lists/oss-security/2026/05/12/4
- https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim