Summary

Exim patched a critical use-after-free vulnerability (CVE-2026-45185) in its GnuTLS implementation that allows unauthenticated remote attackers to execute arbitrary code via specially crafted BDAT SMTP traffic.

Take Action:

If you are running Exim mail servers (versions 4.97 through 4.99.2) built with GnuTLS, update to version 4.99.3 ASAP. Email servers are designed to be exposed to the internet so you can't hide this issue behind a firewall. Until you update, temporarily disable the CHUNKING (BDAT) extension or switch to an OpenSSL-based build until the patch can be applied.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines