CVE-2026-45185

Name of the Vulnerable Software and Affected Versions Exim versions 4.97 through 4.99.2

Description A use-after-free issue exists in Exim when compiled with GnuTLS, specifically within the BDAT body parsing path used during CHUNKING transfers. An unauthenticated network attacker can trigger this by establishing a TLS connection, starting a BDAT chunked transfer, sending a TLS close notify alert before the body is complete, and then sending a final cleartext byte (such as a newline character ) on the same TCP connection. This sequence causes Exim to free its TLS transfer buffer while the BDAT receive wrapper continues to process the trailing byte via the ungetc() function, writing into freed heap memory. This leads to heap corruption and can allow the attacker to execute arbitrary code. This issue does not affect builds using OpenSSL.

Recommendations Update Exim to version 4.99.3. As a temporary mitigation, consider limiting BDAT exposure or restricting SMTP access to minimize the risk of exploitation.