Exim 'Dead.Letter' Flaw Exposes Mail Servers to Unauthenticated Remote Code Execution via GnuTLS BDAT

A critical use-after-free vulnerability in Exim mail server software allows unauthenticated remote attackers to execute arbitrary code by sending specially crafted BDAT SMTP traffic. The flaw, tracked as CVE-2026-45185, exists specifically in Exim versions 4.97 through 4.99.2 when built with GnuTLS cryptographic support. The vulnerability has been patched in version 4.99.3, and administrators are urged to update immediately as email servers are inherently internet-facing and cannot rely on network segmentation as a protective measure.

The attack surface stems from Exim's implementation of the CHUNKING extension using BDAT commands within its GnuTLS integration. The flaw enables remote adversaries to trigger memory corruption without requiring any authentication credentials. Organizations running affected Exim builds face immediate risk of complete server compromise, making this a high-priority remediation item. Beyond upgrading to 4.99.3, interim mitigations include disabling the CHUNKING (BDAT) extension entirely or migrating to an OpenSSL-based Exim build until the patch can be fully deployed.

Security teams should prioritize scanning their infrastructure for exposed Exim instances and verify which cryptographic library is in use. The widespread deployment of Exim as a mail transfer agent makes this vulnerability particularly significant for enterprises and service providers. Proof-of-concept exploitation code has not been publicly released, but the availability of a patch and clear attack methodology suggests heightened urgency for remediation.