CVE-2026-45185: Race Condition Unauthenticated RCE Vulnerability Disclosed in Exim Mail Server

A critical vulnerability has been identified in Exim, the widely deployed mail transfer agent, bearing the designation CVE-2026-45185. The flaw centers on a race condition that enables unauthenticated remote code execution, potentially allowing an attacker to compromise mail servers without requiring any credentials or prior access.

The vulnerability, internally referred to as "Dead.letter," appears to exploit timing windows within Exim's handling of failed message delivery. When messages fail to deliver, Exim writes content to a dead.letter file—a mechanism that, under specific race conditions, could be manipulated to achieve arbitrary code execution. The disclosure notably frames the finding as a comparative analysis between human researchers and large language model-assisted vulnerability discovery, suggesting the flaw was identified through both traditional security research and AI-augmented techniques.

Exim powers a substantial portion of the world's email infrastructure, making any unauthenticated RCE particularly concerning. Security researchers have flagged the race condition aspect as especially problematic, as these timing vulnerabilities can be difficult to reliably exploit but remain viable in targeted attacks. System administrators running Exim instances are advised to monitor vendor advisories closely for patch availability and implementation guidance. The dual-track discovery methodology referenced in the disclosure also raises broader questions about how AI tools are reshaping the vulnerability research landscape and whether LLM-assisted discovery could accelerate the identification of similar flaws in widely deployed software.