Primary

Context

Exim Use-After-Free Vulnerability in GnuTLS Configurations Allowing Remote Code Execution

Vulnerability

Patched

A use-after-free vulnerability has been identified in Exim versions prior to 4.99.3, specifically in certain GnuTLS configurations. This vulnerability is remotely exploitable and occurs in the BDAT body parsing process. It is triggered when a client sends a TLS close_notify signal mid-transfer during a CHUNKING operation, followed by a cleartext byte on the same TCP connection. This sequence can lead to heap corruption, allowing an unauthenticated network attacker to execute arbitrary code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected Exim server.

Reproduction

The vulnerability can be reproduced by sending a TLS close_notify signal during a CHUNKING transfer, followed by a cleartext byte. This can be done using a custom SMTP client that supports TLS and GnuTLS.

Remediation

Users are advised to upgrade to Exim version 4.99.3 or later.

Added: May 12, 2026, 8:30 PM

Updated: May 12, 2026, 8:30 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

7.5

exploitability

8.7

remediation

7.7

relevance

8.1

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

7.5

exploitability

8.7

remediation

7.7

relevance

8.1

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Exim Use-After-Free Vulnerability in GnuTLS Configurations Allowing Remote Code Execution

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Exim

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating