Critical Exim vulnerability: are your Linux servers safe?

Email security is a cornerstone of any enterprise infrastructure. A recent disclosure has shaken the cybersecurity landscape: a critical vulnerability in Exim, the widely deployed open-source mail transfer agent (MTA) used on countless Linux servers worldwide. The issue is tracked as CVE-2026-45185, nicknamed “Dead.Letter”, and it carries a serious remote code execution (RCE) risk.

Understanding CVE-2026-45185 (Dead.Letter)

Exim is a natural target: it is open source, ubiquitous on Unix-like systems, and central to how organisations deliver mail. Dead.Letter is described as a use-after-free bug that manifests when Exim processes a message body using BDAT (Binary Data Transmission), and TLS is handled by GnuTLS. Not every Exim deployment is affected—risk is tied to builds configured specifically with USE_GNUTLS=yes.

Exploitation mechanics

The attack path is narrow but worrying because of what it unlocks. An attacker may trigger the flaw by sending a TLS close_notify alert before the BDAT body transfer finishes, then sending a final cleartext byte on the same TCP connection. That sequence can lead Exim to write into heap memory that was already freed while the TLS session was torn down. According to Federico Kirschbaum, who reported the issue, writing a single newline (\n) byte over Exim allocator metadata is enough to corrupt internal structures and later obtain stronger execution primitives. The exploit reportedly needs little server-side configuration, which broadens exposure.

Technical and business impact

Remote code execution on a mail server is a worst-case outcome. It may enable an attacker to:

• Take over the host: Full control over the server, sensitive data, and user credentials.
• Abuse mail for abuse: Send spam, phishing, or malware outbound—destroying domain reputation.
• Disrupt operations: Denial-of-service against mail flows that the business depends on.
• Exfiltrate mail: Access confidential messages, customer lists, trade secrets, and private correspondence.
• Pivot internally: Use the compromised MTA as a launch pad for deeper network attacks.

For organisations that run Exim, this is a direct threat to continuity, confidentiality, and trust.

Remediation and mitigation

Exim addressed the bug in version 4.99.3. The fix ensures the input-processing stack is reset cleanly when a TLS close notification arrives during an active BDAT transfer, avoiding stale pointer use.

Immediate priorities:

• Patch first: If you run Exim 4.97 through 4.99.2 with GnuTLS, move to 4.99.3 as soon as your change window allows. There is no full substitute for patching.
• Audit mail infrastructure: Review configurations, exposure, TLS stacks, and applied security updates on a recurring basis.
• Harden Linux hosts: Reduce services, enforce firewall policy, apply least privilege, and segment networks—especially for internet-facing systems.
• Monitor and respond: Watch for anomalous behaviour on mail daemons and maintain a tested incident response playbook for fast containment.

A recurring lesson

This is not Exim’s first high-severity use-after-free incident. In late 2017, CVE-2017-16943 in the SMTP daemon also enabled remote code execution and was patched. The pattern underscores disciplined patch management and continuous review of critical-path software such as MTAs. Recent history—including incidents involving MOVEit Automation and Apache HTTP/2—reminds us that core infrastructure components stay on attackers’ radar.

How ITCS VIP can help

At ITCS VIP, we help organisations secure complex, business-critical estates. Relevant services include:

• Email security assessments: Deep review of mail paths, configurations, and weak spots attackers can abuse.
• Linux hardening: Practical hardening aligned with recognised security practice to shrink attack surface.
• Vulnerability and patch programmes: Structures to find, triage, and deploy fixes so exposure windows stay short.
• Monitoring and response: Instrumentation plus support when incidents occur—limiting blast radius and downtime.
• Cybersecurity consulting: Strategy tailored to your risk profile and regulatory context.

Conclusion

Dead.Letter is a blunt reminder that no widely used component is “finished” from a security perspective. Proactive risk management, timely updates, and defence in depth remain essential to protect digital assets. Do not underestimate what a compromised mail system can cost—act decisively to protect both infrastructure and data.