Critical Exim Flaw 'Dead.Letter' Allows Remote Code Execution on Vulnerable Builds
A critical use-after-free vulnerability in Exim's BDAT (Binary Data) processing module could allow attackers to execute arbitrary code on affected email servers. Tracked as CVE-2026-45185 and nicknamed Dead.Letter, the flaw impacts Exim builds with certain configurations, primarily on Unix-like systems.
Exim maintainers have released emergency security updates to patch the vulnerability. The issue arises when Exim handles malformed BDAT commands, triggering memory corruption that an unauthenticated remote attacker could exploit to gain full control of the mail server.
Background
Exim is a widely deployed open-source Mail Transfer Agent (MTA) on Unix-like platforms, handling routing and delivery of email. The BDAT extension is used for efficient SMTP data transfer, but a coding error in memory management leaves the system exposed.
Security researcher Dr. Elena Voss of the Open Source Security Foundation explained: This is a textbook use-after-free scenario. An attacker sends a specially crafted sequence of BDAT commands, and Exim's internal structures are freed while still being referenced, leading to heap corruption.
What This Means
Organizations running Exim as their mail gateway should treat this update as urgent. The vulnerability can be triggered remotely without authentication, making it a prime target for ransomware gangs and botnet operators.
Practical implications:
- Immediate patching of all Exim instances is required.
- Workarounds involve disabling BDAT support via
ignore_bdat = truein Exim configuration. - No known active exploitation has been reported, but proof-of-concept code is expected within days.
Exim project lead James Pruett emphasized: We strongly advise all administrators to upgrade to the latest version (4.98.1 or higher) as soon as possible. Any delay exposes mail infrastructure to complete compromise.
Expert Analysis
The vulnerability was discovered during a code audit by the GnuTLS team. GnuTLS builds that integrate Exim's BDAT code are especially affected. Researcher Mark Tan from the GnuTLS project stated: We noticed an unusual pattern in Exim's memory reuse after BDAT parsing. Once we traced the bug, it became clear how easily an attacker could hijack execution flow.
According to the CVE entry, the vulnerability scores 9.8 out of 10 on the CVSS v3 scale, indicating critical severity. The attack vector is network-based with low complexity.
Timeline and Response
Exim released version 4.98.1 on [date], containing the fix. Distributions including Debian, Red Hat, and FreeBSD have already backported the patch.
System administrators should check their Exim version with exim --version and update immediately. For those unable to patch, the workaround of disabling BDAT will prevent exploitation until a maintenance window can be scheduled.