A devastating new vulnerability in the Exim Mail Transfer Agent (MTA) is currently threatening the backbone of global email communication. Tracked as CVE-2026-45185 and nicknamed “Dead.Letter,” this flaw allows unauthenticated attackers to execute arbitrary code on internet-facing mail servers.
Exim is one of the most widely deployed mail servers on Linux and Unix-like systems. Because it often runs with high privileges to handle mail delivery, a successful exploit doesn’t just leak emails—it hands the attacker the keys to the entire server.
The Vulnerability: The “Dead.Letter” Memory Leak
The flaw is a Use-After-Free (UAF) vulnerability that occurs when Exim handles encrypted sessions in a very specific way.
The “Perfect Storm” Configuration: For a server to be vulnerable, it must meet three criteria:
- Version: Running Exim 4.97 through 4.99.2.
- Library: Compiled using the GnuTLS library (OpenSSL users are safe).
- Features: Both STARTTLS and CHUNKING (BDAT) must be enabled.
How the Attack Works: The attacker initiates a secure connection (STARTTLS) and begins sending a large message in “chunks” (BDAT). Mid-message, the attacker sends a signal to close the encryption. Exim frees the memory buffer used for the encrypted data but “forgets” to clear the internal pointers. When the system tries to process the rest of the message, it writes data into that freed memory, causing a corruption that leads to Remote Code Execution (RCE).
From a Single Byte to Full System Takeover
While the bug only allows the attacker to write a single byte of data incorrectly at first, researchers have proven this is enough to topple the entire system.
By carefully manipulating the server’s memory allocator, attackers can trick Exim into miscalculating its own boundaries. This allows them to overwrite sensitive internal pointers. In modern environments with security protections like ASLR, attackers have successfully used this to hijack Exim’s internal functions, executing malicious commands during the mail-checking (ACL) stage.
The LLM Factor: Worryingly, researchers noted that Large Language Models (LLMs) can now assist in building these complex exploit chains, significantly shortening the time between a bug being found and a functional “hack” being available.
Immediate Mitigation: How to Protect Your Server
Exim has released an emergency fix in version 4.99.3. If you manage a mail server, upgrading is your top priority.
If you cannot patch immediately, use these workarounds:
- Switch to OpenSSL: Recompile or reinstall Exim using OpenSSL instead of GnuTLS.
- Disable Chunking: Turn off BDAT/CHUNKING support in your configuration file to break the attack chain.
- Restrict STARTTLS: Limit encrypted connections to trusted internal networks only (though this may disrupt normal email flow).
Conclusion: A High-Priority Threat
CVE-2026-45185 is a “Level 10” threat for ISPs, hosting providers, and enterprise IT teams. Because it requires no login and exploits a core function of email delivery, it is a prime target for automated botnets and state-sponsored actors. Treat your mail infrastructure as a critical attack surface—patch to 4.99.3 today.
