CRITICALCVE-2026-45185Published 2026-05-12Modified 2026-05-14CNA mitre

CVE-2026-45185: Exim before 4

Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 4.99.3
Affected Products: 1

Fix available

4.99.3

Affected packages

Exim / Exim
< 4.99.3 (from 4.97)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

exim.org
code.exim.org
exim.org
xbow.com
news.ycombinator.com
openwall.com
exim.org

Metrics

Fix available