A critical use-after-free vulnerability in Exim’s handling of GnuTLS TLS session shutdown enables unauthenticated remote code execution on any Exim installation compiled with GnuTLS support. The flaw, CVE-2026-45185 (CVSS 9.8), affects all Exim versions prior to the patched release and represents a direct internet-facing attack surface: Exim is the default mail transfer agent on Debian and Ubuntu, making it the most widely deployed MTA on the internet by install count.
Technical Detail
The vulnerability exists in Exim’s TLS session cleanup code path when the connection uses GnuTLS (as opposed to OpenSSL). During a TLS connection shutdown sequence, Exim frees a TLS session structure and then continues to reference a callback function pointer within that freed memory region. An attacker can trigger this use-after-free condition during the SMTP STARTTLS negotiation phase — before any authentication is required — by sending a specially crafted TLS alert message.
Because the freed memory can be reclaimed and partially controlled via a heap spray in the SMTP banner exchange, the vulnerability can be elevated from crash-inducing to code execution with suitable heap manipulation. The attack requires only network access to port 25 (SMTP) or 587 (submission) — no credentials and no prior session state.
Scope
Exim with GnuTLS support is the default MTA configuration on:
- Debian (all currently supported releases)
- Ubuntu (all currently supported releases and LTS versions)
- Raspbian and derivatives
- Many Linux-based virtual appliances and embedded devices using Debian-based distributions
Exim installations compiled against OpenSSL are not affected by this specific code path. To check your Exim build: exim --version | grep TLS.
Why It Matters
Exim has been the target of several critical RCEs in recent years, including CVE-2019-10149 (“The Return of the WIZard”) which was exploited by NSA-linked actors and Sandworm. Public Exim vulnerabilities consistently attract rapid exploitation because the attack surface — port 25, universally open on internet-facing mail servers — provides reliable reach to a large installed base.
The GnuTLS-specific nature of CVE-2026-45185 affects the majority of Exim deployments on Debian-based distributions. Organisations running Exim as their primary internet-facing MTA or as an internal relay should treat this as a critical patching priority.
Recommended Actions
- Immediate: Update Exim to the patched version on all internet-facing mail servers. On Debian/Ubuntu,
apt update && apt upgrade exim4will apply the fix if the package is available in your distribution’s repository. - If the package is not yet in your repo: Consider temporarily blocking inbound port 25 from the internet and routing mail through a cloud relay service (e.g., Microsoft Exchange Online Protection, Proofpoint, or Mimecast) until the patch is applied.
- Verify your TLS library: Run
exim --versionand check for “GnuTLS” in the TLS support line. OpenSSL-compiled installations are not affected. - Scan for exposure: Review firewall rules to confirm which systems have port 25 exposed to the internet. Any unpatched Exim instance with external port 25 access is a potential exploitation target.
- Check for compromise: Review Exim logs for unusual SMTP connection patterns, unexpected child process spawns, or connections from unusual source IPs prior to any successful delivery.
Share this article