Critical 'Dead.Letter' use-after-free in Exim mail server enables unauthenticated remote code execution over TLS - GnuTLS builds only (CVE-2026-45185)
Exim, the open-source mail transfer agent that ships as default on Debian and powers a large slice of internet mail, has a critical use-after-free in how it parses message bodies sent with the BDAT chunking extension over TLS. The flaw, CVE-2026-45185 (CVSS 9.8) and nicknamed Dead.Letter by discoverer XBOW, triggers when a TLS connection closes via close_notify mid-BDAT and Exim then processes one more cleartext byte. That byte gets written into already-freed memory, corrupting the heap, and XBOW turned it into an unauthenticated RCE primitive. Only Exim builds compiled with USE_GNUTLS=yes are affected; OpenSSL builds are not.
- Check
- Check installed Exim version and verify how the package was built (GnuTLS vs OpenSSL). Look for EHLO responses on TCP/25, /465, and /587 that advertise both STARTTLS and CHUNKING from any internet-facing MTA you own.
- Affected
- Exim versions 4.97 through 4.99.2 compiled with USE_GNUTLS=yes (the Debian default). Affects internet-facing MTAs that advertise both STARTTLS and CHUNKING (BDAT) - common on ISPs, shared hosting, university mail, and small relays.
- Fix
- Upgrade to Exim 4.99.3 or the matching distribution package (Debian DSA-6265-1 covers oldoldstable, oldstable, stable; Ubuntu 24.04 LTS shipped on May 12). Where patching is blocked, rebuild against OpenSSL or restrict SMTP ports to known peers.