New critical Exim mailer flaw allows remote code execution

NEW CRITICAL EXIM MAILER FLAW ALLOWS REMOTE CODE EXECUTION

Overview

• A critical vulnerability identified as CVE-2026-45185 affects certain configurations of the Exim open-source mail transfer agent (MTA). It could be exploited by an unauthenticated remote attacker to execute arbitrary code on the compromised system.
• The flaw targets Exim versions 4.97 through 4.99.2 that are built with the GNU Transport Layer Security (GnuTLS) library and advertise STARTTLS with CHUNKING. OpenSSL-based builds are not affected.
• The issue arises during TLS shutdown while Exim is processing BDAT-chunked SMTP traffic, creating a window where memory operations can be hijacked to achieve remote code execution.

Vulnerability details

• Nature of the bug: a user-after-free (UAF) condition where Exim frees a TLS transfer buffer but later resumes using stale callback references that can write into the memory region that has already been freed.
• Trigger: the UAF occurs specifically during the TLS shutdown phase in the handling of BDAT chunked SMTP data.
• Consequences: an unauthenticated attacker could run commands on the server, access Exim data and emails, and potentially pivot to other parts of the environment depending on the server’s permissions and configuration.
• Builds affected: Exim 4.97 through 4.99.2 compiled against GnuTLS with STARTTLS and CHUNKING enabled. Builds that use OpenSSL are not affected.

Impact and exposure

• Immediate risk: remote code execution without requiring valid credentials or prior access.
• Data exposure: potential access to emails and Exim-related data stored on the server.
• Lateral movement: depending on the server’s permissions, an attacker could attempt further compromise within the host environment.

Affected environments

• Commonly deployed on Linux servers and Unix-like environments where Exim serves as the default MTA.
• Typical deployments include enterprise mail systems, shared hosting environments, and Debian- or Ubuntu-based distributions, where Exim has historically been used as the default mail server.

Discovery, disclosure, and response timeline

• Discovery: The vulnerability was identified by XBOW researcher Federico Kirschbaum.
• Initial report: Reported to the Exim maintainers on May 1, 2026.
• Acknowledgment: Exim acknowledged the report on May 5, 2026.
• Notifications: Impacted Linux distributions were alerted a few days later.
• Patch release: A fix was released as Exim version 4.99.3.
• Public advisory reference: Coverage and details circulated in the OSS-security channels around the patch release date (mid-May 2026).

Patch and version details

• remedial release: Exim 4.99.3 includes the security fix for CVE-2026-45185.
• affected line of defense: distributions that ship Exim with GnuTLS-enabled builds should upgrade to the patched version to mitigate the vulnerability.
• OpenSSL builds: No evidence of impact for OpenSSL-based Exim configurations.

AI-assisted exploit development and testing

• Experimental effort: XBOW conducted a seven-day, AI-assisted exploration to develop a proof-of-concept exploit.
• Collaboration: The process involved XBOW Native, an autonomous AI-driven development system, working with a human researcher aided by a large language model.
• Targeted environments: Early PoCs were demonstrated on simplified Exim servers lacking Address Space Layout Randomization (ASLR) and non-PIE binaries.
• Escalation conditions: When tested on systems with ASLR enabled and PIE in use, the AI-assisted approach faced significant hurdles.
• Outcome and reflections: The human researcher ultimately guided the exploitation effort. The team highlighted both the potential of AI tools to accelerate understanding of complex code and the current limitations of fully autonomous exploit development in real-world targets.
• Takeaway on AI in security research: AI can expedite analysis and exploration of suspicious areas and unfamiliar code, but human oversight remains essential for validating feasibility and safety in production-like targets.

Remediation notes and ecosystem context

• Patch availability: A security fix is available in Exim 4.99.3, and the advisory indicates affected parties should transition to this version.
• Acknowledgment of scope: OpenSSL-based Exim builds were confirmed not to be affected by this particular flaw.
• Trust and risk framing: The disclosure underscores the ongoing need for careful TLS handling in mail servers and the importance of staying current with vendor patches.

Related developments and context

• The vulnerability sits within a broader landscape of mail server security issues and remote code execution flaws that have surfaced in recent years.
• Related topics include other high-severity RCE vulnerabilities in messaging and automation tooling, as well as ongoing research into AI-assisted security analysis and exploit development.
• Ongoing research efforts continue to examine the interaction between TLS implementations, memory management, and network-facing services like MTAs, highlighting the need for robust memory safety and defensive design in server software.

Summary

• CVE-2026-45185 represents a critical RCE risk for Exim deployments using GnuTLS with STARTTLS and CHUNKING enabled, affecting versions 4.97–4.99.2.
• The vulnerability is rooted in a use-after-free scenario during TLS shutdown while processing BDAT data, allowing an unauthenticated remote attacker to execute arbitrary code.
• A patch is available in Exim 4.99.3, with OpenSSL builds unaffected.
• The public discussion around AI-assisted exploit development illustrates both the promise of automated security research tools and the continued necessity for human expertise in validating exploit feasibility and remediation in real-world environments.
• The incident reinforces the importance of timely patch adoption and ongoing vigilance in mail server security to reduce exposure to remote code execution risks.