New Exim BDAT GnuTLS Vulnerability Enables Code Execution Attacks

HomeCyber Security News New Exim BDAT GnuTLS Vulnerability Enables Code Execution Attacks By Tushar Subhra Dutta May 13, 2026 A serious security flaw has been found in Exim, one of the most widely deployed mail transfer agents on the internet today. The vulnerability, tracked as EXIM-Security-2026-05-01.1, allows a remote attacker to corrupt server memory and potentially execute malicious code without needing any special privileges or credentials. It was publicly disclosed on May 12, 2026, following a coordinated responsible disclosure process that began in early May. The flaw sits inside Exim’s GnuTLS backend, the component that handles encrypted email communication over TLS. It is triggered when a client uses the BDAT command, which is part of the CHUNKING extension in the SMTP protocol used to send large email bodies in pieces. If an attacker sends a TLS close_notify alert before the body transfer finishes, and then follows it up with one final byte in plain text on the same TCP connection, the server enters a dangerous and unstable state. Exim maintainers, led by Heiko Schlittermann, acknowledged the report and confirmed the issue after receiving it from security researcher Federico Kirschbaum of XBOW Security on May 1, 2026. The team moved quickly, preparing a fix in a private repository and notifying distributors with restricted early access to patches before the public advisory went live on May 12. What makes this vulnerability especially concerning is how little an attacker actually needs to carry it out successfully. No login, no special account, and no prior access to the target system is required at all. All an attacker needs is the ability to open a TLS connection to an Exim server and use the BDAT extension, both of which are completely standard features of modern email infrastructure available to anyone. New Exim BDAT GnuTLS Vulnerability Exim powers email delivery for a significant portion of internet servers around the world, particularly in Linux-based environments. The reach of this flaw is broad, affecting all builds of Exim from version 4.97 through 4.99.2 that were compiled with GnuTLS support. That covers a large share of production mail servers running today, making the exposure window a genuine cause for concern among system administrators and security teams globally. The technical heart of this vulnerability is a use-after-free condition, a well-known class of memory bug where a program continues to use a memory address after it has already been released. When Exim receives a TLS close_notify alert mid-transfer during an active BDAT session, it begins tearing down the TLS session internally. The problem is that the input processing stack is not properly reset at this point, leaving stale and dangerous memory pointers behind. When the attacker then sends one more byte in cleartext over the same TCP connection, Exim tries to write data using a pointer that now points to freed memory. This corrupts the heap, the region of memory where the program stores active data and running state. In the right conditions, an attacker can use this corruption to redirect code execution and run their own commands on the server. It is worth noting that this issue only affects Exim builds compiled with the USE_GNUTLS=yes flag. Servers using OpenSSL or other TLS libraries are not vulnerable to this specific attack path, which narrows the scope but still leaves a large number of systems fully exposed and at risk. Patch and Recommended Action The Exim development team released version 4.99.3 on May 12, 2026, which fully resolves the vulnerability. The fix resets the input processing stack cleanly whenever a TLS close notification arrives during an active BDAT transfer, cutting off the entire chain of events that leads to heap corruption. There is no known workaround or configuration change that can protect a system short of upgrading to the latest release. Server administrators running Exim 4.97 through 4.99.2 with GnuTLS enabled should treat this as an urgent and high-priority update. The patched release is available through the official Exim FTP server and code repository for immediate deployment. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Fake Moustache Bypasses Age Verification System Raising Online Safety Act Concerns Taiwan High Speed Rail Hacked Using Radio Signal Spoofing Attack That Halted Three Trains New NWHStealer Delivery Chain Uses Bun Loader, Anti-VM Checks, and Encrypted C2 Critical Redis Vulnerabilities Enables Remote Code Execution Attacks New Stealthy Vidar Stealer Campaign Bypass EDR and Steal Credentials Latest News Cyber Security News Microsoft Releases Cumulative Update for Windows 11, Version 25H2 and 24H2 Cyber Security News Top 10 Best Data Loss Prevention Software in 2026 Cyber Security News Microsoft Teams Vulnerability Allows Hackers to Perform Spoofing Attacks Cyber Security Microsoft Patch Tuesday May 2026 – 120 Vulnerabilities Fixed, Including 29 Critical RCE Flaws Cyber Security Fortinet Patches Five Vulnerabilities Across FortiAP, FortiOS, and Enterprise Products