Exim has released version 4.99.3 to address a critical use-after-free vulnerability, tracked as CVE-2026-45185, which could allow remote attackers to execute arbitrary code on affected mail servers.

Key Points

• The vulnerability, nicknamed Dead.Letter, affects Exim versions 4.97 through 4.99.2 specifically when configured with the GnuTLS library.
• Attackers can trigger memory corruption by sending a TLS close_notify alert during a BDAT message body transfer followed by cleartext data.
• Security researcher Federico Kirschbaum of XBOW discovered the flaw, noting that it allows attackers to overwrite allocator metadata to gain further control.
• There are no available workarounds for this issue, making an immediate upgrade to version 4.99.3 the only way to secure vulnerable systems.
• Builds of Exim that utilize OpenSSL instead of GnuTLS are not susceptible to this specific security exploit.

Why it Matters

This vulnerability poses a significant risk to email infrastructure because it allows unauthenticated remote attackers to potentially seize control of mail servers. Organizations relying on Exim must prioritize patching to prevent exploitation of this high-caliber bug, which requires minimal server-side configuration to trigger.