Ethical Hacking News
Exim has released a critical security update to address a severe use-after-free vulnerability that could enable memory corruption and potential code execution. The affected versions of Exim are 4.97 through 4.99.2.
The Exim MTA software has been vulnerable to a new security issue that could allow code execution. The vulnerability was discovered in May 2026 and affects all Exim versions from 4.97 to 4.99.2. The vulnerability requires minimal configuration on the server to be triggered, making it a high-priority fix. The issue is caused by a use-after-free vulnerability in the BDAT message body parsing when handling TLS connections via GnuTLS. A security patch has been released to address the severity of this issue and prevent potential code execution due to memory corruption.
The IT world has recently been rocked by a new vulnerability in the popular open-source Mail Transfer Agent (MTA) software, Exim. The Exim team has released security updates to address this severe issue, which could potentially allow an attacker to execute code on systems running vulnerable configurations of the software.
Exim is widely used across Unix-like systems for receiving, routing, and delivering email messages. As with any complex software system, vulnerabilities can arise due to a variety of reasons including poor coding practices or lack of thorough testing. In this case, researchers have identified a use-after-free vulnerability in Exim's binary data transmission (BDAT) message body parsing when handling TLS connections via GnuTLS.
The nature of the issue was first reported by Federico Kirschbaum, head of Security Lab at XBOW, an autonomous cybersecurity testing platform, who discovered it on May 1st, 2026. In a detailed explanation, Kirschbaum outlined how this vulnerability is triggered during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, followed by a final byte in cleartext on the same TCP connection.
As a result of these actions, Exim writes into a memory buffer that has already been freed during the TLS session teardown. This can cause heap corruption leading to potentially catastrophic consequences including remote code execution. The only requirement for an attacker to exploit this vulnerability is to be able to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension.
The impact of this vulnerability affects all Exim versions from 4.97 up to and including 4.99.2, but it specifically targets builds that utilize USE_GNUTLS=yes — thereby excluding configurations reliant on other TLS libraries such as OpenSSL.
In addressing the severity of this issue, XBOW described it as "one of the highest-caliber bugs" discovered in Exim to date, adding that triggering it requires almost no special configuration on the server. The shortcoming has been rectified in version 4.99.3 by ensuring that input processing stacks are cleanly reset when a TLS close notification is received during an active BDAT transfer, thus preventing stale pointers from being used.
In light of this revelation, the Exim team has issued updated security patches to protect against potential code execution due to memory corruption. It is advisable for all users of Exim versions vulnerable to this issue to upgrade as soon as possible.
The discovery of this vulnerability highlights the ongoing importance of vigilance and proactive maintenance in software updates. While it may seem daunting, taking swift action on identified vulnerabilities can prevent potentially catastrophic consequences and protect sensitive data from unauthorized access or manipulation.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Exim-Vulnerability-Reveals-Potential-for-Code-Execution-ehn.shtml
https://thehackernews.com/2026/05/new-exim-bdat-vulnerability-exposes.html
https://www.sepe.gr/en/it-technology/cybersecurity/22724605/new-exim-bdat-vulnerability-exposes-gnutls-builds-to-potential-code-execution/
Published: Tue May 12 13:43:49 2026 by llama3.2 3B Q4_K_M
