{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45185/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-45185"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Exim (4.97 to 4.99.2)"],"_cs_severities":["critical"],"_cs_tags":["exim","rce","vulnerability","cve-2026-45185","user-after-free","gnutls"],"_cs_type":"advisory","_cs_vendors":["Exim","Debian","Ubuntu"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-45185, affects Exim mail transfer agent versions 4.97 through 4.99.2 when built with the default GNU Transport Layer Security (GnuTLS) library. This user-after-free (UAF) flaw is triggered during the TLS shutdown process while handling BDAT chunked SMTP traffic. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary code on the server. Exim is a widely deployed open-source mail transfer agent used on Linux and Unix servers, including shared hosting environments, enterprise mail systems, and Debian- and Ubuntu-based distributions where it has historically been the default mail server. The vulnerability impacts Exim versions 4.97 through 4.99.2 on builds compiled with GnuTLS that have STARTTLS and CHUNKING advertised. A fix is available in Exim version 4.99.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker establishes a connection to the Exim server over SMTP.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a TLS handshake using the STARTTLS command, which is supported by the server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends SMTP traffic with BDAT chunking.\u003c/li\u003e\n\u003cli\u003eDuring the TLS shutdown process, Exim incorrectly frees a TLS transfer buffer due to the user-after-free vulnerability (CVE-2026-45185).\u003c/li\u003e\n\u003cli\u003eExim continues to use stale callback references, attempting to write data into the freed memory region.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this memory corruption to overwrite critical data structures, gaining control of program execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the server with the privileges of the Exim process.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access Exim data and emails, and potentially pivot further into the environment depending on server permissions and configuration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-45185 allows an unauthenticated remote attacker to execute arbitrary code on the Exim server. This could lead to complete system compromise, including unauthorized access to sensitive data such as emails, and the ability to pivot to other systems within the network. Given Exim\u0026rsquo;s widespread deployment, a successful attack could impact numerous organizations, particularly those using Debian and Ubuntu-based Linux distributions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the available Exim updates (v4.99.3) through your package managers on Ubuntu and Debian-based Linux distributions to patch CVE-2026-45185.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious SMTP connections using STARTTLS and BDAT chunking to detect potential exploitation attempts. Use the \u0026ldquo;Detect Exim CVE-2026-45185 Exploitation Attempt via SMTP BDAT\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eConsider disabling STARTTLS or CHUNKING features in Exim if immediate patching is not feasible, but be aware of the potential impact on email functionality.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging on Exim servers to assist in detecting potential attacker-initiated processes post-exploitation, as covered by the \u0026ldquo;Detect Exim CVE-2026-45185 Exploitation - Process Creation\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T20:24:53Z","date_published":"2026-05-13T20:24:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-exim-rce/","summary":"CVE-2026-45185, a user-after-free vulnerability in Exim versions 4.97 through 4.99.2, allows an unauthenticated remote attacker to execute arbitrary code by sending crafted SMTP traffic with BDAT chunking during TLS shutdown.","title":"Exim Mail Transfer Agent User-After-Free Remote Code Execution Vulnerability (CVE-2026-45185)","url":"https://feed.craftedsignal.io/briefs/2026-05-exim-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-45185","version":"https://jsonfeed.org/version/1.1"}