CVE-2026-45185

Name of the Vulnerable Software and Affected Versions Exim versions 4.97 through 4.99.2

Description A use-after-free issue exists in the BDAT body parsing path of Exim when compiled with GnuTLS. The flaw is triggered when a client sends a TLS close notify alert during a CHUNKING transfer before the body is complete, followed by a final cleartext byte on the same TCP connection. This sequence causes Exim to free its TLS transfer buffer while the nested BDAT receive wrapper remains active. When the trailing byte is processed, the ungetc() function writes a byte into the freed heap memory, leading to heap corruption. An unauthenticated remote attacker can exploit this to execute arbitrary code or cause a denial of service. It is estimated that over 3.7 million services worldwide may be affected, with up to 20,000 potentially vulnerable servers in the Russian internet segment.

Recommendations Update Exim to version 4.99.3. As a temporary mitigation, consider restricting the use of the CHUNKING/BDAT mechanism or limiting SMTP access to minimize the risk of exploitation.