CVE-2026-45185

CRITICAL

Exim 4.97-4.99.2 - Unauthenticated Use-After-Free via TLS Close Notify During CHUNKING Transfer

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-45185. PoCs published by MJ-bin, materaj2, liamromanis101.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-45185, focusing on a potential use-after-free (UAF) vulnerability in Exim's SMTP handling during TLS session termination. It includes a walkthrough of the vulnerable code paths, reader model changes, and the conditions required to trigger the issue.

Description

Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.

Exploits (3)

github WRITEUP
by MJ-bin · dockerfilepoc
https://github.com/MJ-bin/POC_CVE-2026-45185

This repository provides a detailed technical analysis of CVE-2026-45185, focusing on a potential use-after-free (UAF) vulnerability in Exim's SMTP handling during TLS session termination. It includes a walkthrough of the vulnerable code paths, reader model changes, and the conditions required to trigger the issue.

Classification
Writeup 95%
Attack Type
Other
Complexity
Complex
Reliability
Theoretical
Target: Exim (version not specified)
No auth needed
Prerequisites: TLS-enabled Exim server · ability to send crafted SMTP commands
devstral-2 · analyzed May 19, 2026 Full analysis →
nomisec SCANNER
by materaj2 · poc
https://github.com/materaj2/cve-2026-45185-detection-script

The repository contains a Nuclei template for detecting Exim servers vulnerable to CVE-2026-45185, a use-after-free vulnerability in BDAT body parsing during TLS shutdown. The template safely checks for vulnerable versions and required capabilities (STARTTLS and CHUNKING) without triggering the exploit.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Exim 4.97-4.99.2 (GnuTLS build)
No auth needed
Prerequisites: Exim server with SMTP exposed on ports 25, 465, 587, or 2525 · STARTTLS and CHUNKING capabilities advertised
devstral-2 · analyzed May 14, 2026 Full analysis →
nomisec SCANNER
by liamromanis101 · poc
https://github.com/liamromanis101/Dead.Letter-CVE-2026-45185

The repository contains a shell script designed to detect whether a Linux system is vulnerable to CVE-2026-45185, a use-after-free vulnerability in Exim's BDAT message body parsing when using GnuTLS. The script performs a series of checks to determine the presence and configuration of Exim, its version, TLS library linkage, and system mitigations.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Exim 4.97 – 4.99.2 (GnuTLS builds only)
No auth needed
Prerequisites: Exim installation · GnuTLS linkage · BDAT/CHUNKING enabled
devstral-2 · analyzed May 13, 2026 Full analysis →

References (8)

Core 8

Scores

CVSS v3 9.8
EPSS 0.0123
EPSS Percentile 64.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-416
Status published
Products (2)
Exim/Exim 4.97 - 4.99.3
exim/exim 4.97 - 4.99.3
Published May 12, 2026
Tracked Since May 13, 2026