New Critical Exim Mailer Allows Remote Attacker to Execute Arbitrary Code

Discover more Endpoint security software software Security audit services HomeCyber Security News New Critical Exim Mailer Allows Remote Attacker to Execute Arbitrary Code By Abinaya May 14, 2026 A critical vulnerability in the widely used Exim mail server allows unauthenticated attackers to execute arbitrary code and fully compromise exposed servers. Federico Kirschbaum, head of the Security Lab at XBOW, discovered and reported the issue, which has been dubbed Dead.Letter. The vulnerability carries a massive CVSS severity score of 9.8, making it one of the highest-caliber bugs ever identified in the Exim ecosystem. Organizations relying on this open-source mail server must take immediate action, as the exploit requires no special configuration and can be triggered silently without any user interaction. Exim RCE Flaw Disclosed The technical foundation of this exploit lies in a severe use-after-free memory corruption flaw tracked as CVE-2026-45185. According to security advisories from Exim and independent analysis by CyCognito, the vulnerability resides specifically in the binary data transmission message body parsing logic when the GnuTLS library handles a TLS connection. Threat actors can trigger the flaw by manipulating the connection sequence during an active transfer. When an attacker sends a standard Transport Layer Security close notification alert before the binary data transfer is complete, and then immediately follows up with a final cleartext byte on the same TCP connection, the mail server becomes confused. This precise sequence of events forces Exim to write into an internal memory buffer that had already been freed during the standard session teardown process. By intentionally misdirecting a single byte of data, attackers can corrupt the memory allocator’s internal structure. As XBOW researchers highlighted in their technical disclosure, this single-byte heap corruption is entirely sufficient to escalate privileges and achieve unauthenticated remote code execution. Security experts emphasize that the attack only requires the ability to establish a secure connection and to use the standard SMTP chunking extension, both of which are enabled by default on modern deployments. Despite the critical nature of the Dead. Letter vulnerability, the exposure is relatively specific to certain underlying infrastructure choices. The Hacker News reports that the issue affects only Exim versions 4.97 through 4.99.2 when compiled with the GnuTLS library. Builds that rely on alternative libraries, such as OpenSSL, remain entirely unaffected by this attack vector. Consequently, the threat is highly concentrated on Debian, Ubuntu, and Debian-derived Linux distributions that ship the vulnerable packages by default. At the same time, systems like Red Hat Enterprise Linux are generally safe. System administrators cannot rely on simple workarounds to mitigate this threat. The Exim development team has officially addressed the memory handling flaw in version 4.99.3, and security platforms universally advise upgrading immediately. Because there are no viable configuration changes that completely resolve the vulnerability without breaking functionality, patching remains the only definitive defense. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information PoC Exploit Released for Android 0-Click Vulnerability that Enables Remote Shell Access Multiple Critical Vulnerabilities Patched in Next.js and React Server Components Google Warns of Hackers Using AI to Create Working Zero-Day Exploit Dell Support assist Updates Forces Windows Systems to BSOD Loop Latest News Cyber Security News Microsoft Research Shows AI Can Generate Realistic Command Lines and Process Telemetry Cyber Security News Critical GitLab Vulnerabilities Enables XSS and Unauthenticated DoS Attacks Cyber Security News Hackers Abuse Legitimate HWMonitor Binary to Load Malicious DLL Payload Cyber Security Palo Alto PAN-OS 0-Day Exploited to Execute Arbitrary Code With Root Privileges on Firewalls Press Release Lyrie.ai Launches the Global Identity Standard for the AI Agent Age & Anthropic’s Cyber Verification Program