A serious and remotely exploitable security flaw has been discovered in Exim, one of the most widely deployed mail transfer agents on the internet. Tracked as EXIM-Security-2026-05-01.1, the vulnerability allows a remote, unauthenticated attacker to corrupt server memory and potentially execute arbitrary malicious code — without needing any special privileges or prior access to the target system.
The flaw was publicly disclosed on May 12, 2026, following a coordinated responsible disclosure process that began in early May. A patch was released the same day: Exim version 4.99.3.
Technical Overview: How the Vulnerability Works
The flaw resides in Exim’s GnuTLS backend — the component responsible for handling encrypted email communication over TLS. It is triggered by a specific interaction between the BDAT command (part of the CHUNKING SMTP extension used to send large email bodies in chunks) and TLS session teardown.
The attack sequence works as follows:
- An attacker opens a TLS-encrypted connection to an Exim server and begins a BDAT transfer
- Before the transfer completes, the attacker sends a TLS
close_notifyalert — signaling end of session - Immediately after, the attacker sends one additional byte in cleartext on the same TCP connection
- Exim attempts to write data using a pointer that now points to freed memory, triggering a use-after-free condition
- This corrupts the server’s heap — the memory region storing active runtime state
- Under the right conditions, an attacker can exploit this corruption to redirect code execution and run arbitrary commands on the server
Critically, this attack requires no authentication, no special account, and no prior foothold on the target system. Any party capable of opening a standard TLS connection and using the BDAT extension — both entirely routine features of modern email infrastructure — can attempt the exploit.
Scope and Affected Versions
The vulnerability affects all Exim builds from version 4.97 through 4.99.2 that were compiled with the USE_GNUTLS=yes flag. Servers using OpenSSL or other TLS backends are not vulnerable to this specific attack vector — however, a large proportion of Linux-based Exim deployments use GnuTLS, leaving a significant number of production mail servers exposed.
Exim powers email delivery for a substantial share of internet mail servers, particularly in Linux-based environments. Given its widespread deployment, even a moderate exploitation window could affect a significant number of organizations worldwide.
Discovery and Disclosure Timeline
The vulnerability was discovered and responsibly reported to the Exim maintainers by security researcher Federico Kirschbaum of XBOW Security on May 1, 2026. Exim lead maintainer Heiko Schlittermann acknowledged the report and confirmed the issue. The team worked quickly:
- May 1, 2026: Vulnerability reported to Exim maintainers
- Early May: Fix developed in a private repository; distributors notified with restricted early access to patches
- May 12, 2026: Public advisory released alongside patched Exim 4.99.3
The responsible disclosure process allowed major Linux distributions to prepare updated packages before the flaw became public knowledge, reducing the window of exposure for well-maintained systems.
Patch and Recommended Actions
Exim 4.99.3, released May 12, 2026, fully resolves the vulnerability. The fix properly resets the input processing stack whenever a TLS close notification arrives during an active BDAT transfer, eliminating the chain of events that leads to heap corruption.
There is no known configuration workaround or mitigation short of upgrading to the patched version. System administrators running Exim 4.97 through 4.99.2 with GnuTLS enabled should treat this as an urgent, high-priority update. The patched release is available through the official Exim FTP server and its code repository.
To determine whether your Exim installation is compiled with GnuTLS, run: exim -bV | grep GnuTLS. If GnuTLS appears in the output, your server is vulnerable if running an affected version.
Why This Vulnerability Matters
Mail transfer agents like Exim occupy a privileged position in network infrastructure — they handle inbound and outbound email for entire organizations, often with elevated system privileges. A remote code execution vulnerability on an MTA can allow an attacker to gain full control of the server, access stored emails, pivot to internal networks, and establish persistent backdoors.
The low barrier to exploitation — no credentials, no prior access, just a standard SMTP connection — makes this vulnerability particularly dangerous. Organizations that have not updated their Exim installations should prioritize this patch immediately, treating it with the same urgency as actively exploited zero-days given how easy the exploit conditions are to achieve.