—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Remote Code Execution Vulnerability in Exim

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Exim versions 4.97 through 4.99.2

Overview

A vulnerability has been reported in Exim, which could allow an unauthenticated remote attacker to execute arbitrary code on the targeted system.

Target Audience:

All end-user organizations and individuals using Exim.

Risk Assessment:

High risk of remote code execution.

Impact Assessment:

Potential for memory corruption.

Description

Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like operating systems that handles email reception, routing, and delivery.

This vulnerability exists in Exim due use-after-free flaw in the BDAT body parsing path. An unauthenticated remote attacker could exploit this vulnerability by sending a TLS close_notify during an active BDAT transfer and subsequently sending an additional clear text byte over the same TCP connection.

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to execute arbitrary code on the targeted system.

Solution

Apply appropriate updates as mentioned in:

https://www.exim.org/static/doc/security/EXIM-Security-2026-05-01.1/EXIM-Security-2026-05-01.1.txt

Vendor Information

Exim

https://www.exim.org/static/doc/security/EXIM-Security-2026-05-01.1/EXIM-Security-2026-05-01.1.txt

References

Exim

https://www.exim.org/static/doc/security/EXIM-Security-2026-05-01.1/EXIM-Security-2026-05-01.1.txt

The Hacker News

https://thehackernews.com/2026/05/new-exim-bdat-vulnerability-exposes.html

CVE Name

CVE-2026-45185

 

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoMeZQACgkQ3jCgcSdc

ys+3hhAAiy2VCv4YyiJ+c0CixQLFUvJdblfrixZtwwNLfmTTY8XaDU/khRdXwxAF

rrQAeUAbOCHI0yAf4cUzO6Ot/AF5jsr3lDykLqa6hGdSewucwU7GP93CZqISbLnN

r6AUePsknqT3IDaXJfmKBAsSPa/jb1Ko9UEXqPUlCk0c0l2DxNj01m0pZuctDZ15

Gy5ASX11xnJTdrh9wFOxXXJRJwMumbhev7FktTr4eshyU1zqGszTJW3VyJd2ZjRI

XsqGdKOTW/UPFgfokdykL2yhnPkl5WuqiN2bxfVV0nisrmAtCeBThQXrp1uBvgep

u3YtlkASR9+TPF9H5Aqns7W0ax9RiPsCZlXJHA3XLeDUnAhdNewH31gABMdT0G32

uI0ckqs3RGoCgrHiGptztmlNc1ZnG0kJ8z8yIjgT6LhGUx4KA01yfLNbc0RryZ0u

MhIdJ2a0Q+DjP0ljkxrWhnU7pY0lEkvcyswfcVt/ac3JYJa9BS4ajIQuqwJaCOpk

Bj48yieeAXJyo/CSViXLBfCuFwzftd0I8AKvrnc//j7cYGeVNsAqBFFvbHLXD9Ec

UYTtTqQp4xFp4KbwAF4j1F+Ngp8jgEqw3HBjmySMGgZJY9zELgz3P5wP8L5rpBW/

buyvyFiLTFXe1iSs/2HY6+mZcr3gh7owJo9D8vrqkkj3S6Dcw7g=

=3hvl

—–END PGP SIGNATURE—–