### Understanding the Vulnerability **Exim** is a popular open-source Mail Transfer Agent (MTA) commonly deployed on Unix-like systems for handling email routing and delivery. The newly discovered vulnerability, **CVE-2026-45185**, stems from a use-after-free issue within Exim's binary data transmission (BDAT) message body parsing, specifically when a TLS connection is managed by **GnuTLS**. According to the official advisory, the vulnerability is triggered when a client sends a TLS `close_notify` alert prematurely, before the complete BDAT message body has been transmitted. Subsequently, the client sends a final byte in cleartext over the same TCP connection. This sequence of events can cause **Exim** to write data into a memory buffer that has already been freed during the TLS session teardown, leading to heap corruption. "This sequence of events can cause Exim to write into a memory buffer that has already been freed during the TLS session teardown, leading to heap corruption. An attacker only needs to be able to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension." ### Scope of Impact The vulnerability affects **Exim** versions 4.97 up to and including 4.99.2. However, it's crucial to note that the issue is only present in builds configured with `USE_GNUTLS=yes`. This means that **Exim** installations relying on other TLS libraries, such as **OpenSSL**, are not vulnerable. ### Discovery and Reporting **Federico Kirschbaum**, Head of Security Lab at **XBOW**, an autonomous cybersecurity testing platform, is credited with discovering and reporting the vulnerability on May 1, 2026. **XBOW** characterized the vulnerability as a high-severity bug, emphasizing that it requires minimal server configuration to trigger. ### Remediation The vulnerability has been addressed in **Exim** version 4.99.3. Users are strongly advised to upgrade to this version as soon as possible. Currently, there are no known mitigations that completely resolve the vulnerability without patching. "The fix ensures that the input processing stack is cleanly reset when a TLS close notification is received during an active BDAT transfer, preventing the stale pointers from being used," **Exim** stated. ### Historical Context This is not the first time **Exim** has faced critical use-after-free vulnerabilities. In late 2017, a similar flaw (**CVE-2017-16943**, CVSS score: 9.8) was patched in the SMTP daemon. Unauthenticated attackers could exploit that vulnerability to achieve remote code execution via specially crafted BDAT commands.