What Happened to Dead.Letter (CVE-2026-45185) - XBOW's Unauthenticated RCE on Exim?
Dead.Letter (CVE-2026-45185) is a critical use-after-free vulnerability discovered by XBOW in the Exim mail transfer agent, affecting versions 4.97 through 4.99.2 when built with GnuTLS. Publicly disclosed on May 12, 2026, it allows unauthenticated remote code execution, posing a significant threat to millions of internet-facing mail servers. Exim has released version 4.99.3 to patch the flaw, urging immediate upgrades.
Quick Answer
Dead.Letter (CVE-2026-45185) is a severe unauthenticated Remote Code Execution (RCE) vulnerability found in the Exim mail server, impacting versions 4.97 to 4.99.2 that utilize the GnuTLS library. Discovered by XBOW's security lab on May 1, 2026, and publicly disclosed on May 12, 2026, the flaw allows attackers to corrupt memory and execute arbitrary code without authentication or special server configuration. Exim has released version 4.99.3 to address this critical issue, and administrators are strongly advised to upgrade immediately as no other mitigations exist.
πKey Facts
π Complete Timeline10 events
Vulnerability Discovered by XBOW
Federico Kirschbaum, head of Security Lab at XBOW, an autonomous cybersecurity testing platform, discovered the 'Dead.Letter' vulnerability (CVE-2026-45185) in Exim. The discovery was aided by XBOW's AI-powered analysis platform.
Vulnerability Reported to Exim Maintainers
XBOW researchers submitted the details of the 'Dead.Letter' bug to the Exim maintainers, initiating a coordinated disclosure process.
Exim Team Confirms Flaw and Begins Patch Development
Led by Heiko Schlittermann, the Exim team quickly confirmed the reported flaw and began developing a fix in a private repository.
Security Advisory for Exim & Apache (General)
An advisory from AbeloHost B.V. mentions critical vulnerabilities in Exim (RCE) and Apache HTTP Server, urging updates to Exim 4.99.2 or higher, indicating awareness of Exim RCEs before the specific CVE-2026-45185 public disclosure.
Hacker News Discussion Pre-Public Disclosure
A discussion on Hacker News indicates that coordinated distro releases were imminent, with some users receiving notices that did not yet include the CVE number, suggesting the embargo was about to lift or had partially broken.
Exim Releases Security Updates (Version 4.99.3)
Exim officially released security updates, including version 4.99.3, to address the 'Dead.Letter' vulnerability (CVE-2026-45185).
Public Disclosure of CVE-2026-45185 ('Dead.Letter')
The 'Dead.Letter' vulnerability, tracked as CVE-2026-45185, was publicly disclosed. It was described as a use-after-free vulnerability in Exim's BDAT message body parsing when TLS is handled by GnuTLS, leading to potential code execution.
XBOW Publishes Technical Write-up
XBOW published a detailed blog post titled 'Dead.Letter (CVE-2026-45185) How XBOW Found an Unauthenticated RCE on Exim', explaining the technical details of the vulnerability and its exploitation.
Cybersecurity Media Reports Widespread
Numerous cybersecurity news outlets, including The Hacker News, FOSS Force, and Daily CyberSecurity, reported on the critical vulnerability, its impact, and the urgent need for patching.
Continued Urgency for Patching
As of today, cybersecurity experts continue to emphasize the critical nature of CVE-2026-45185, urging all Exim administrators to upgrade to version 4.99.3 immediately due to the high risk of unauthenticated remote code execution.
πDeep Dive Analysis
The 'Dead.Letter' vulnerability, officially tracked as CVE-2026-45185, represents a critical security flaw in the widely used Exim mail transfer agent (MTA). Discovered by Federico Kirschbaum, head of Security Lab at XBOWβan autonomous cybersecurity testing platformβon May 1, 2026, this vulnerability is a use-after-free (UAF) bug that can lead to unauthenticated remote code execution (RCE). The discovery was notably aided by XBOW's AI-powered vulnerability analysis platform, highlighting the growing role of artificial intelligence in cybersecurity research.
The vulnerability specifically affects Exim versions from 4.97 up to and including 4.99.2, but only in builds configured to use GnuTLS (`USE_GNUTLS=yes`) for TLS connections. This configuration is common in many Debian-based Linux distributions, including Ubuntu, making a substantial number of internet-facing mail servers potentially vulnerable. The flaw is triggered during the handling of Binary Data Transmission (BDAT) messages. An attacker can initiate a TLS connection, send a `close_notify` alert before a BDAT body transfer is complete, and then send a final byte in cleartext on the same TCP connection. This sequence causes Exim to attempt a write operation into a memory buffer that has already been freed during the TLS session teardown, leading to heap corruption.
XBOW researchers described the vulnerability as one of the 'highest-caliber bugs' discovered in Exim to date, emphasizing that it requires almost no special server configuration to exploit. The one-byte write of a newline character into the freed memory region is sufficient to corrupt Exim's allocator metadata, which can then be leveraged to gain full memory control and ultimately achieve remote code execution. This 'zero-click' RCE means an attacker needs no credentials or user interaction to compromise a vulnerable server.
The coordinated public disclosure occurred on May 12, 2026, following an 11-day embargo period during which XBOW worked with Exim maintainers and Linux distributors to develop and deploy patches. Exim released version 4.99.3 to fix the issue. This fix ensures that the input processing stack is properly reset when a TLS close notification is received during an active BDAT transfer, preventing the use of stale pointers.
As of May 13, 2026, the immediate consequence is the urgent need for all administrators running affected Exim versions with GnuTLS to upgrade to 4.99.3. There are no known mitigations other than upgrading. The widespread use of Exim, estimated to be on millions of servers globally, means that unpatched systems remain at critical risk of takeover. Security advisories and patching instructions have been widely disseminated across cybersecurity news outlets and vendor channels, urging rapid action to prevent potential exploitation in the wild.
What If...?
Explore alternate histories. What if Dead.Letter (CVE-2026-45185) - XBOW's Unauthenticated RCE on Exim made different choices?