A critical security vulnerability in Exim — the mail server software running on roughly half of all internet-facing email servers — allows a remote attacker to execute arbitrary code with zero credentials, zero user interaction, and no special server configuration required.
The vulnerability, tracked as CVE-2026-45185 and nicknamed Dead.Letter, was discovered by security firm XBOW during early testing of their native-code vulnerability analysis platform. The researchers submitted the bug to the Exim maintainers on May 1st and held their findings for 11 days to allow coordinated patching across Linux distributions including Ubuntu 24.04 LTS and other Debian-based systems.
A one-byte write that unlocks the server
The root cause is a use-after-free (UAF) — a class of memory bug where code continues reading or writing memory after it has already been freed — triggered when a TLS-encrypted connection shuts down mid-message. Specifically, the bug fires when a client sends an email body using the BDAT chunking extension (an SMTP feature for sending large messages in declared-size chunks) over a GnuTLS-encrypted connection.
During TLS shutdown, Exim frees its 4096-byte transfer buffer. But a nested BDAT receive wrapper still holds a stale pointer to it. When the body parser encounters a missing line ending, it calls ungetc() — which writes a single newline byte (\n) into that already-freed memory region. That one byte lands on Exim's internal allocator metadata, corrupting the pool's size field and opening the door to full memory control.
"The write primitive might seem deceptively weak at first glance — it puts a single newline character into a freed memory region. But that one byte is enough to escalate all the way to remote code execution." — XBOW research team, Dead.Letter writeup
The flaw is much critical because it requires no special server configuration. A standard Exim installation on Ubuntu, accepting mail over the internet with TLS enabled, is fully exposed. The attacker sends a crafted SMTP session — no login, no prior reconnaissance needed.
Who is affected and what to do
Exim is the default mail transfer agent on Debian and Ubuntu and is widely deployed on shared hosting infrastructure worldwide. Any server running Exim 4.97 with GnuTLS (the default on Debian-based systems) and TLS enabled is potentially vulnerable. However, developers have already released the patches.