Contact us
Contact us

News

About

Home Crypto News Exim GnuTLS builds hit by ‘Dead.Letter’ BDAT flaw

Exim GnuTLS builds hit by ‘Dead.Letter’ BDAT flaw

Author Whitewallet Research
Posted: 12 May 2026, 18:52 CET 2 min read

Exim builds compiled with GnuTLS are affected by a BDAT use-after-free (CVE-2026-45185, “Dead.Letter”) that can corrupt heap memory and allow possible remote code execution; fixed in 4.99.3.

Exim releases security updates after researchers reported a use-after-free flaw in BDAT message parsing for builds that use GnuTLS. The bug, tracked as CVE-2026-45185 and nicknamed “Dead.Letter,” affects Exim versions 4.97 through 4.99.2 and was fixed in Exim 4.99.3.

The vulnerability occurs when a client using the CHUNKING (BDAT) SMTP extension sends a TLS close_notify alert before finishing a BDAT transfer and then sends a final cleartext byte on the same TCP connection. During TLS shutdown Exim frees its TLS transfer buffer while a nested BDAT receive routine can still run and call ungetc(), which writes a newline character into freed memory. That single-byte write can corrupt heap allocator metadata and can be used to develop further exploitation techniques leading to potential remote code execution.

Only Exim builds compiled with USE_GNUTLS=yes are affected. Builds that rely on other TLS libraries, such as OpenSSL, are not vulnerable. Exim acknowledged the issue in an advisory and published the 4.99.3 update to address the flaw.

Federico Kirschbaum, head of Security Lab at XBOW, reported the issue to Exim on May 1, 2026 and explained the failure mode: the program frees the TLS transfer buffer during shutdown while a nested BDAT wrapper can still process incoming bytes and invoke ungetc(), which writes into the freed region and corrupts allocator state. XBOW described the discovery as “one of the highest-caliber bugs” found in Exim and noted that triggering it requires only the ability to establish a TLS session and submit BDAT data.

Exim’s patch clears the input processing stack when a TLS close notification arrives during an active BDAT transfer, preventing stale pointers from being used after the TLS session teardown. The vendor advised operators to upgrade to version 4.99.3 as the only full mitigation.

Administrators should prioritize updates for mail servers compiled with GnuTLS that accept BDAT over TLS. A similar BDAT-related use-after-free was fixed in late 2017 (CVE-2017-16943), which also allowed unauthenticated attackers to run code via crafted BDAT commands.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE