CVE-2026-45185 PUBLISHED

Assigner: mitre
Reserved: 10.05.2026 Published: 12.05.2026 Updated: 13.05.2026

Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Exim
Product	Exim
Versions	Default: unaffected affected from 4.97 to 4.99.3 (excl.)

References

https://exim.org
https://code.exim.org/exim/wiki/wiki/EximSecurity
https://exim.org/static/doc/security/CVE-2026-45185.txt
https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim
https://news.ycombinator.com/item?id=48111748
https://www.openwall.com/lists/oss-security/2026/05/12/4
https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/

Problem Types

CWE-416 Use After Free CWE