EXECUTIVE SUMMARY:
CVE-2026-45185 with a CVSS score of 9.8 is a remote heap corruption vulnerability in Exim's GnuTLS backend, affecting Exim versions 4.97 through 4.99.2, specifically when compiled with USE_GNUTLS=yes. The bug occurs during the handling of large email body transfers via the CHUNKING (BDAT) SMTP extension over an encrypted TLS connection. An attacker can exploit this vulnerability by sending a TLS close_notify alert before the email body transfer is finished, immediately following up with a final byte sent in cleartext over the same TCP connection, and relying on Exim to correctly free its transfer buffer while a "nested BDAT receive wrapper" continues to process the incoming cleartext byte, allowing the attacker to corrupt the allocator's internal shape and gain the primitives necessary for a full-scale exploit. This vulnerability allows an attacker to gain control over a mail server, enabling them to potentially read, modify, or delete sensitive email data, and execute arbitrary code with root privileges. The business impact of this vulnerability is significant, as thousands of global mail servers are exposed to potential takeover, potentially leading to data breaches, email spoofing, and other malicious activities. The exploit requires almost no special configuration on the server, beyond the default ability to establish a TLS connection and use BDAT.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45185 with a CVSS score of 9.8 is a remote heap corruption vulnerability in Exim's GnuTLS backend, affecting Exim versions 4.97 through 4.99.2, specifically when compiled with USE_GNUTLS=yes. The bug occurs during the handling of large email body transfers via the CHUNKING (BDAT) SMTP extension over an encrypted TLS connection. An attacker can exploit this vulnerability by sending a TLS close_notify alert before the email body transfer is finished, immediately following up with a final byte sent in cleartext over the same TCP connection, and relying on Exim to correctly free its transfer buffer while a "nested BDAT receive wrapper" continues to process the incoming cleartext byte, allowing the attacker to corrupt the allocator's internal shape and gain the primitives necessary for a full-scale exploit. This vulnerability allows an attacker to gain control over a mail server, enabling them to potentially read, modify, or delete sensitive email data, and execute arbitrary code with root privileges. The business impact of this vulnerability is significant, as thousands of global mail servers are exposed to potential takeover, potentially leading to data breaches, email spoofing, and other malicious activities. The exploit requires almost no special configuration on the server, beyond the default ability to establish a TLS connection and use BDAT.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Exim to version 4.99.3.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/exim-vulnerability-cve-2026-45185-gnutls-heap-corruption/