CVE-2026-45185
critical
CVSS v3
9.8
CVSS v2
—
VIR risk
9.8
Description
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-45185.html
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-45185
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 4.96-15+deb12u9 |
| debian | bullseye | fixed | 4.94.2-7+deb11u5 |
| debian | forky | fixed | 4.99.2-2 |
| debian | sid | fixed | 4.99.2-2 |
| debian | trixie | fixed | 4.98.2-1+deb13u2 |
| sles | affected | |
References
- https://code.exim.org/exim/wiki/wiki/EximSecurity
- https://exim.org
- https://exim.org/static/doc/security/CVE-2026-45185.txt
- https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/
- https://news.ycombinator.com/item?id=48111748
- https://www.openwall.com/lists/oss-security/2026/05/12/4
- https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim
- http://www.openwall.com/lists/oss-security/2026/05/12/25
- https://security-tracker.debian.org/tracker/CVE-2026-45185
- https://www.suse.com/security/cve/CVE-2026-45185.html
CWEs
CWE-416
Verify integrity in audit chain (admin only). AS-IS.