A essential vulnerability affecting sure configurations of the Exim open-source mail switch agent might be exploited via an unauthenticated far off attacker to execute arbitrary code.
Known as CVE-2026-45185, the protection factor affects some Exim variations earlier than 4.99.3 that use the default GNU Delivery Layer Safety (GnuTLS) library for safe communique. This can be a user-after-free (UAF) flaw brought about all through the TLS shutdown whilst dealing with BDAT chunked SMTP visitors.
Exim frees a TLS switch buffer however later continues the usage of stale callback references that may write knowledge into the freed reminiscence area, which can result in unauthenticated far off code execution (RCE).
Exim is a extensively deployed open-source mail switch agent (MTA) used to ship, obtain, and course e mail on Linux and Unix servers. It’s used on Linux servers, in shared website hosting environments, endeavor mail techniques, and on Debian- and Ubuntu-based distributions, the place it has traditionally been the default mail server.
CVE-2026-45185 was once came upon and reported via XBOW researcher Federico Kirschbaum. It affects Exim variations 4.97 via 4.99.2 on builds compiled with GnuTLS that experience STARTTLS and CHUNKING marketed. OpenSSL-based builds aren’t affected.
Attackers exploiting the vulnerability may just execute instructions at the server in addition to get admission to Exim knowledge and emails, and probably pivot additional into the surroundings relying on server permissions and configuration.
XBOW reported the vulnerability to the Exim maintainers on Might 1st and won an acknowledgment on Might fifth. Impacted Linux distributions have been notified 3 days later.
A repair for CVE-2026-45185 was once launched in Exim model 4.99.3.
AI-assisted exploit construct
XBOW experiences that growing the proof-of-concept (PoC) exploit was once a seven-day problem between the corporate’s self sufficient AI-driven building gadget, XBOW Local, and a human researcher assisted via a big language style.
Whilst XBOW Local effectively produced a running exploit for a simplified goal Exim server that had no Cope with House Format Randomization (ASLR) and non-PIE (Place Impartial Executables) binary.
In a 2nd strive, the LLM accomplished an exploit on a gadget with ASLR, however nonetheless a non-PIE binary.
“[…] as an alternative of continuous to assault glibc’s allocator with off-the-shelf mechanisms, XBOW Local had taken on Exim’s personal allocator,” XBOW researchers say.
In spite of the sudden outcome underneath, it was once the human researcher who gained the race, with the help of the LLM for duties equivalent to assembling recordsdata and checking out exploitation avenues.
Whilst the researcher said the spectacular velocity of the LLM, they discovered the want to form the paintings setting as an alternative of letting the style create its personal area.
“In truth, I don’t believe LLMs by myself are fairly able to write down exploits in opposition to real-world tool but. After this revel in, I feel it will probably remedy one thing CTF-shaped, however I do not see them attaining the extent of genuine manufacturing objectives simply but.”
Nonetheless, the researcher said the a very powerful position of AI gear in serving to people perceive unfamiliar code and dig deeper into suspicious spaces a lot sooner than with out them.
To mitigate the danger, customers of Ubuntu and Debian-based Linux distributions will have to follow the to be had Exim updates (v4.99.3) via their package deal managers.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of latest exploits is coming.
On the Independent Validation Summit (Might 12 & 14), see how self sufficient, context-rich validation unearths what is exploitable, proves controls dangle, and closes the remediation loop.
Declare Your Spot
