Exim, one of the most widely deployed open-source Mail Transfer Agents on Unix-like systems, has a memory corruption flaw that warrants immediate attention from anyone running it in production. CVE-2026-45185, dubbed Dead.Letter, is a use-after-free vulnerability in the BDAT command handler that affects certain configurations—specifically those compiled against GnuTLS.

Understanding the Vulnerability

A use-after-free bug occurs when code attempts to access memory that has already been freed, typically resulting in unpredictable behaviour or exploitable state. In Exim's case, the flaw lies in how the BDAT (Binary Data) command—part of the SMTP protocol extension for transmitting binary message data—manages memory during the authentication and chunking process.

The severity here is not theoretical. Memory corruption in a mail server daemon running with elevated privileges can be weaponised to achieve arbitrary code execution. An attacker with network access to an affected Exim instance could craft a malicious BDAT sequence to trigger the vulnerability, potentially gaining the privileges of the Exim process itself.

The issue is not universal across all Exim builds. The vulnerability surfaces specifically in binaries compiled with GnuTLS support, which affects a significant portion of Linux distributions that bundle Exim. Admins using OpenSSL builds may have some breathing room, but this distinction requires verification rather than assumption.

Why This Matters for Hosting Infrastructure

Mail infrastructure remains a critical target. Unlike web services that can tolerate brief downtime, email systems are expected to run continuously and handle traffic from untrusted sources—the entire internet. An MTA like Exim typically listens on port 25 and accepts connections from any host, making it an inherently exposed attack surface.

For shared hosting, reseller hosting, and managed VPS environments, a compromised Exim instance could be leveraged for further lateral movement across the server, access to customer data, or installation of persistent backdoors. The risk extends beyond the mail service itself; email is often intertwined with authentication systems, spam filtering, and logging infrastructure.

For dedicated server and offshore hosting operators, a widespread Exim compromise could implicate the entire datacenter in spam campaigns or malware distribution, damaging reputation and triggering abuse complaints from upstream networks.

Patching and Verification

Exim has released security updates that address the BDAT handling logic. The immediate action for any administrator is to:

  • Identify which Exim version you are running: exim -v will display the version and build options, including which TLS library (GnuTLS or OpenSSL) was compiled in.
  • Check if your distribution has released a patched package. Major Linux distributions typically release updates promptly, but lag time varies.
  • If no package is available yet, consider disabling BDAT support at the SMTP level (via Exim configuration) as a temporary measure until patches are deployed.
  • Test patches in a non-production environment before rolling them out, particularly in complex mail environments where Exim is tightly integrated with spam filtering, virus scanning, or authentication systems.

For those running custom Exim builds or maintaining their own compilation, rebuilding against the patched source is the standard remediation path.

Broader Implications

This vulnerability underscores why mail server selection and maintenance strategy matter. MTAs like Exim, Postfix, and Sendmail are foundational infrastructure with minimal redundancy in many deployments. A single daemon process failure—or a compromise—can silence an entire mail system.

Regular security monitoring, timely patching workflows, and awareness of which dependencies (TLS libraries, system calls, protocol handlers) your MTA relies on are not optional luxuries for infrastructure teams. They are operational necessities. The underlying issue reminds us that even established, scrutinised software can harbour subtle memory safety bugs in less commonly tested code paths.

For hosting providers and dedicated server customers alike, treating mail infrastructure with the same rigour as web application firewalls and database security is essential. A forgotten Exim patch can undo months of otherwise sound security work.