CVE‑2026‑45185 “DeadLetter”: AI‑Uncovered Unauthenticated RCE Shakes Exim Servers

Listen to this Post

🐢▶️ Listen🚀

Introduction

The ubiquitous Exim mail transfer agent (MTA) — which powers roughly half of the world’s internet‑facing email servers — has been found harboring a critical unauthenticated remote code execution (RCE) vulnerability. Tracked as CVE‑2026‑45185 and nicknamed “Dead.Letter”, this use‑after‑free flaw can be triggered remotely with no credentials and no user interaction when Exim is compiled with GnuTLS, the default TLS library on most Debian‑based distributions, including Ubuntu. The vulnerability was discovered by security firm XBOW during early testing of their autonomous vulnerability research platform, which leverages large language models (LLMs) to accelerate native‑code analysis. The discovery not only led to a coordinated disclosure but also prompted an unusual human‑vs‑AI race to develop the first working exploit.

Learning Objectives

• Understand the technical root cause of CVE‑2026‑45185: Learn how a one‑byte write into a freed TLS buffer (a use‑after‑free) can escalate to full remote code execution.
• Analyze AI’s role in modern vulnerability research: Examine the capabilities and limitations of autonomous LLM‑based systems in discovering and weaponising memory corruption bugs.
• Implement effective detection and mitigation strategies: Acquire practical commands to identify vulnerable Exim versions, apply patches, harden configurations, and monitor for exploitation attempts.

You Should Know

1. Inside the “Dead.Letter” Vulnerability: From a Single Newline to Full RCE
   The bug is a classic use‑after‑free (UAF) in Exim’s BDAT (binary data) body parsing path when a TLS connection is handled by GnuTLS. During a normal TLS shutdown, Exim calls tls_close(), which frees the TLS transfer buffer (state‑>xfer_buffer) but leaves the underlying function pointers — including `lwr_receive_ungetc` — still pointing to TLS handlers. If a BDAT chunk is in progress when the TLS connection is terminated, the parser may later call `bdat_ungetc(‘\n’)` to repair an incomplete SMTP line. This ungetc operation writes a single newline character into the already‑freed memory region.

That one‑byte write lands on Exim’s custom bump allocator metadata, specifically corrupting the `storeblock.length` field of a `pooldesc` structure. By carefully controlling the allocation size of the corrupted block (using a crafted `MAIL FROM` command with a long comment), an attacker can inflate the allocator’s idea of available space. Subsequent `store_get()` calls then allocate from non‑existent memory, enabling arbitrary read/write primitives and ultimately remote code execution.

Step‑by‑Step Vulnerability Triggers & Exploit Primitives

The following steps outline the logical flow (not a ready‑to‑use exploit, as the full weaponization is complex and patched):

1. Establish a TLS session with the Exim server (requires STARTTLS).

   openssl s_client -starttls smtp -connect target:25
   

2. Send a `BDAT` command with a large chunk size to initiate binary data transfer.

   BDAT 50000 LAST
   

3. Immediately initiate a TLS shutdown (e.g., send `STARTTLS` again or close the connection abruptly). This triggers `tls_close()` and frees the buffer.
4. Force the parser into the repair path by constructing the BDAT chunk so that the body ends without a CRLF sequence, causing `read_message_bdat_smtp` to call bdat_ungetc(‘\n’).
5. Shape the allocator state by sending a `MAIL FROM` command with a specially crafted comment length (e.g., MAIL FROM: <[email protected](AAAA…AAA)>) to allocate an exact‑sized block in the corrupted pool.
6. Trigger the UAF write, corrupting the `storeblock.length` field to create an oversized block.
7. Use subsequent allocations (e.g., via `RCPT TO` or further `BDAT` commands) to read/write beyond block boundaries, achieving code execution.

Note: Real exploitation requires deep knowledge of Exim’s allocator internals and memory layout. The patches and security updates break the primitive at step 5.

2. Detection: Identifying Vulnerable Exim Installations

CVE‑2026‑45185 affects Exim versions before 4.99.3 when compiled with GnuTLS. To determine if your server is vulnerable:

Linux Detection Commands

 Check Exim version
exim -bV | head -1

On Debian/Ubuntu systems, also check the installed package version
dpkg -l | grep exim4

Verify if Exim is linked against GnuTLS
ldd $(which exim) | grep gnutls

Examine the running process for the version
ps aux | grep exim

If the version is < 4.99.3 and GnuTLS is used, the server is vulnerable. Also check the presence of `BDAT` support (enabled by default in most modern Exim builds):

 Connect to Exim SMTP and issue EHLO
echo -e "EHLO test\nQUIT" | nc target 25 | grep -i bdat

Windows / Cross‑Platform Detection

While Exim is primarily a Unix MTA, you may run it in WSL or other POSIX environments. Use the same detection commands via WSL or a remote banner grab:

 PowerShell-based SMTP banner grab
$tcp = New-Object System.Net.Sockets.TcpClient
$tcp.Connect("target", 25)
$stream = $tcp.GetStream()
$writer = New-Object System.IO.StreamWriter($stream)
$reader = New-Object System.IO.StreamReader($stream)
$writer.WriteLine("EHLO test")
$writer.Flush()
$reader.ReadLine()
$writer.WriteLine("QUIT")
$writer.Flush()
$tcp.Close()

Network Intrusion Detection / Snort Rule

A basic rule to detect suspicious `BDAT` + `STARTTLS` sequences:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 
(msg:"Exim Dead.Letter UAF Attempt"; flow:to_server,established; 
content:"BDAT"; nocase; within:100; 
content:"LAST"; within:50; 
content:"STARTTLS"; within:200; 
classtype:attempted-admin; sid:20260451; rev:1;)

3. Mitigation: Patching and Hardening Exim

The immediate and only reliable mitigation is to upgrade Exim to version 4.99.3 or later. The fix restores the storeblock length field correctly and prevents the use‑after‑free scenario.

Patch Commands for Linux Distributions

• Debian / Ubuntu (including Ubuntu 24.04 LTS and similar):

  sudo apt update
  sudo apt upgrade exim4 exim4-base exim4-config
  sudo systemctl restart exim4
  

• RHEL / CentOS / Rocky Linux (if using EPEL):

  sudo yum update exim
  sudo systemctl restart exim
  

• From source (if you maintain a custom build):

  wget https://ftp.exim.org/pub/exim/exim4/exim-4.99.3.tar.gz
  tar xzf exim-4.99.3.tar.gz
  cd exim-4.99.3
  cp src/EDITME Local/Makefile
  make
  make install
  

After patching, verify the update:

exim -bV | grep "version 4.99.3"

Workaround if Patching Not Immediately Possible

• Disable TLS entirely: Remove `STARTTLS` from Exim’s configuration (MAIN_TLS_ENABLE). This is only a temporary measure and breaks encrypted email delivery.
• Use a different TLS library: The vulnerability is specific to GnuTLS. Switching to OpenSSL (if your Exim build supports it) breaks the exploit path. This requires recompiling Exim with `USE_GNUTLS=no` and USE_OPENSSL=yes.
• Block BDAT at network level: Use a firewall or IPS to drop packets containing the string “BDAT” and “LAST” in SMTP sessions. This prevents the vulnerability from being reached but may interfere with legitimate binary transfers.

4. AI vs. Human: The Race to Exploit

XBOW used the coordinated disclosure window to conduct a “race” between human exploit developers and their autonomous LLM‑based agent. The experiment aimed to measure how far each could go in building a working exploit from the zero‑day research.

• Human track: A seasoned security researcher with no prior Exim source code reading experience spent days reverse‑engineering the allocator, crafting the heap grooming steps, and developing the final RCE chain.
• AI track: The autonomous XBOW agent, using a combination of static analysis, dynamic tracing, and LLM‑guided code reasoning, was able to identify the UAF root cause and synthesise a functional exploit primitive in a significantly shorter time — though the researcher still performed better when complex environment‑specific adjustments were required.

The key takeaway is that LLMs dramatically accelerate the initial vulnerability discovery and exploitation primitives, but human expertise remains indispensable for production‑ready reliability and complex memory corruption chains. The full race details are documented in the original XBOW article.

1. Cloud & Container Hardening: Protecting Exim in Modern Environments
   Many cloud workloads and containers still run Exim as a lightweight MTA. This vulnerability is especially critical because containers often run with minimal isolation.

Docker / Kubernetes Detection

 Find containers running Exim
docker ps --filter "status=running" | grep exim
kubectl get pods --all-namespaces | grep exim

Check version inside a container
docker exec <container_id> exim -bV

Mitigation in Orchestrated Environments

• Immediate actions:

  Update image and redeploy
  docker pull exim:latest  after patch is available
  kubectl set image deployment/exim-deployment exim=exim:latest
  

• Use admission controllers (e.g., OPA/Gatekeeper) to block pods running vulnerable Exim versions.
• Implement network policies to restrict SMTP ingress to only authorised sources.

Cloud Security Groups (AWS, Azure, GCP)

Temporarily restrict port 25/587/465 access to only trusted IP ranges while patching:

 Terraform example for AWS
ingress {
from_port = 25
to_port = 25
protocol = "tcp"
cidr_blocks = ["192.0.2.0/24"]  only internal subnet
}

6. API Security & Log Analysis: Detecting Post‑Exploitation

After patching, monitor logs for signs of compromise:

• Unusual Exim log entries (/var/log/exim4/mainlog):

  Look for long MAIL FROM comments (potential heap grooming)
  grep -E "MAIL FROM.([A-Za-z]{50,})" /var/log/exim4/mainlog
  
  Unexpected process crashes (SIGSEGV related to TLS)
  dmesg | grep -i "exim.segfault"
  

• Modified binaries / libraries (use `aide` or tripwire):

  sudo aide --check | grep exim
  

• Unusual outbound network connections (possible shell callback):

  sudo netstat -tunap | grep exim | grep ESTABLISHED
  

7. Training & Further Reading

• Exim Security Training: The official Exim documentation includes security hardening guidelines (https://www.exim.org/docs.html).
• Memory Corruption Exploitation Courses: Platforms like Offensive Security’s “Advanced Windows Exploitation” or “Linux Heap Exploitation” cover the fundamental techniques used in this bug.
• AI in Cybersecurity: XBOW’s public research blog (https://xbow.com/blog/) provides ongoing analysis of LLM‑assisted vulnerability discovery.
• CVE‑2026‑45185 Technical Write‑up: The full source code analysis, allocator diagrams, and both human/AI exploit walks are available at xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim.

What Undercode Say

• Key Takeaway 1: Modern AI agents are not just theoretical — they are already discovering and weaponising zero‑day vulnerabilities in mission‑critical software like Exim, reducing the time from discovery to exploit to days.
• Key Takeaway 2: The Exim “Dead.Letter” case reinforces the importance of a defence‑in‑depth strategy: patching is essential, but network segmentation, IDS rules, and container hardening remain necessary to block exploitation attempts before a patch is applied.

The collaborative race between human researchers and autonomous AI tools demonstrates a future where vulnerability research becomes vastly more efficient — but also more dangerous. While AI lowers the barrier to discovering bugs, it does not remove the need for in‑depth systems knowledge to turn a primitive into a reliable exploit. For defenders, this means attack surfaces are shrinking in terms of discovery time; we must adopt real‑time patch management and proactive monitoring to keep pace. The Exim flaw, buried in a 20‑year‑old codebase and triggered by a single newline character, serves as a stark reminder that even the smallest oversight can cascade into a full system takeover.

Prediction

The successful unauthenticated RCE in Exim, accelerated by AI‑driven research, will likely trigger a wave of similar LLM‑assisted discoveries in other long‑standing, monolithic Unix services (e.g., Sendmail, OpenSMTPD, Dovecot). Expect increased pressure on open‑source maintainers to integrate automated fuzzing and formal verification into their CI pipelines, as manual code audits become insufficient against AI‑augmented adversaries. Within the next 12 months, we may see the first fully autonomous bug bounty hunter — a system that discovers, proves, and reports vulnerabilities with minimal human input, reshaping the economics of zero‑day markets. Conversely, defenders will increasingly deploy AI‑based behavioural detection to catch heap‑corruption patterns in real time, turning the attacker’s advantage into a mutual escalation race.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Wreyor Interesting – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky