If you run a mail server, a tiny flaw in Exim could become a big headache. The Dead.Letter vulnerability (CVE-2026-45185) is a use-after-free flaw in Exim’s BDAT parsing that can be triggered when a TLS connection ends unexpectedly during a message transfer. The result could be unstable service or exposure to attacker-controlled behavior. Vendors and researchers are watching closely, and patches are being released. Here’s what you need to know and how to respond.
What happened
Exim, a widely used mail transfer agent on Unix-like systems, disclosed a use-after-free vulnerability in its BDAT path. The flaw can be triggered when a client closes TLS with a close_notify before the BDAT body transfer completes, followed by an extra byte on the same connection. This sequence can lead to memory corruption, and depending on the environment, may allow an attacker to impact the mail server.
Why it matters
Mail servers are essential for small businesses, creators, and IT teams. A vulnerability in Exim could affect how you receive and send email, potentially impacting availability, reliability, and security. Because Exim runs on many shared hosts and cloud servers, the risk can span across small organizations and hosting providers.
Practical steps you can take
- Check if you run Exim and your version: Review your server’s mail stack to determine if Exim is installed and which version you are running.
- Apply the patch or upgrade: Update Exim to the patched release as provided by the Exim project or your OS vendor. If you’re unsure, contact your hosting provider or system administrator.
- Patch your OS and dependencies: Ensure your operating system’s security updates are applied, as vendor patches may be delivered through package managers.
- Review outbound/inbound mail traffic: Monitor mail queues and logs for unusual activity. Look for sudden spikes or failed TLS handshakes that could indicate an exploitation attempt.
- Harden mail server configuration: If feasible, ensure TLS configurations are up to date and consider enabling stricter TLS policies for SMTP when appropriate.
- Have a plan for incidents: If you suspect exploitation, follow your incident response plan, rotate credentials where needed, and verify mail delivery integrity.
- Stay informed: Subscribe to official advisories from Exim and your OS vendor to receive patch notices quickly.
Final thought
If you run mail on the internet-facing side of your business, this is one vulnerability you should treat with priority, but not panic. Patch early, monitor, and keep your defense-sane patch plan in place. Small steps now pay off later.