Critical Exim Mailer Flaw Allows Remote Code Execution
A critical vulnerability affecting certain configurations of the Exim open-source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code.
Identified as CVE-2026-45185, the security issue impacts some Exim versions before 4.99.3 that use the default GNU Transport Layer Security (GnuTLS) library for secure communication.
Vulnerability Details
CVE-2026-45185 is a user-after-free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic. Exim frees a TLS transfer buffer but later continues using stale callback references that can write data into the freed memory region, which can lead to unauthenticated remote code execution (RCE).
Exim is a widely deployed open-source mail transfer agent (MTA) used to send, receive, and route email on Linux and Unix servers. It is used on Linux servers, in shared hosting environments, enterprise mail systems, and on Debian- and Ubuntu-based distributions, where it has historically been the default mail server.
Discovery and Reporting
CVE-2026-45185 was discovered and reported by XBOW researcher Federico Kirschbaum. It impacts Exim versions 4.97 through 4.99.2 on builds compiled with GnuTLS that have STARTTLS and CHUNKING advertised. OpenSSL-based builds are not affected.
Attackers exploiting the vulnerability could execute commands on the server as well as access Exim data and emails, and potentially pivot further into the environment depending on server permissions and configuration.
Mitigation and Fix
XBOW reported the vulnerability to the Exim maintainers on May 1st and received an acknowledgment on May 5th. Impacted Linux distributions were notified three days later. A fix for CVE-2026-45185 was released in Exim version 4.99.3.
To mitigate the risk, users of Ubuntu and Debian-based Linux distributions should apply the available Exim updates (v4.99.3) through their package managers.
AI-Assisted Exploit Build
XBOW reports that creating the proof-of-concept (PoC) exploit was a seven-day challenge between the company's autonomous AI-driven development system, XBOW Native, and a human researcher assisted by a large language model.
While XBOW Native successfully produced a working exploit for a simplified target Exim server that had no Address Space Layout Randomization (ASLR) and non-PIE (Position Independent Executables) binary, the human researcher ultimately won the race with assistance from the LLM for tasks such as assembling files and testing exploitation avenues.
"Honestly, I don't think LLMs alone are quite ready to write exploits against real-world software yet. After this experience, I think it can solve something CTF-shaped, but I don't see them reaching the level of real production targets just yet."
Still, the researcher acknowledged the crucial role of AI tools in helping humans understand unfamiliar code and dig deeper into suspicious areas much faster than without them.
Conclusion
The discovery of CVE-2026-45185 highlights the importance of keeping software up-to-date and applying security patches in a timely manner. Users of affected Exim versions should apply the available updates to mitigate the risk of remote code execution.
- Related Articles:
- 13-year-old bug in ActiveMQ lets hackers remotely execute commands
- Max severity Flowise RCE vulnerability now exploited in attacks
- CISA: New Langflow flaw actively exploited to hijack AI workflows
- Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator
- Weaver E-cology critical bug exploited in attacks since March
Source: BleepingComputer