Exim Dead.Letter — BDAT/CHUNKING UAF on GnuTLS builds, pre-auth RCE (CVSS 9.8, ENISA critical); fixed in Exim 4.99.3

XBOW disclosed CVE-2026-45185 on 2026-05-12 after a coordinated-disclosure window with Exim maintainers, Linux distros and CVE authorities that began 2026-05-01 (XBOW research, 2026-05-12; oss-security, 2026-05-12; The Hacker News, 2026-05-12). The bug is a use-after-free (CWE-416) in Exim's BDAT (RFC 3030 CHUNKING) body-parser when the binary was built with GnuTLS (USE_GNUTLS=yes) — the default on Debian and Ubuntu packages. OpenSSL builds are unaffected. The trigger: an SMTP client sends a TLS close_notify mid-BDAT body, then one final cleartext byte on the same TCP connection. Exim's xfer_buffer has already been freed in tls_close(), but the BDAT lwr_receive_* function pointers remain live and tls_ungetc() writes a single \n byte into the freed region. XBOW's AI-driven exploitation (within the seven-day disclosure window) produced two working chains under ASLR: a largebin-corruption → FILE struct hijack chain on No-PIE builds, and a storeblock length-inflation → bump-pointer corruption → ${run} ACL execution chain on PIE builds. No authentication is required; the CHUNKING extension is default-on. Fixed in Exim 4.99.3. CVSS 9.8 per the XBOW disclosure. No public exploitation reported at disclosure, but exim.org is the dominant MTA on the public internet and the GnuTLS default on Debian / Ubuntu maps directly to the typical EU university, academic-research and small-government mail-relay estate. Detection / hunt concepts mapped to T1190 Exploit Public-Facing Application and T1499.004 Endpoint Denial of Service: Application or System Exploitation: monitor exim panic.log for tls_ungetc traces and segfaults under non-zero load; egress-monitor any outbound TCP from the MTA host that does not match the usual upstream-relay set; on Debian / Ubuntu, audit exim -bV | grep GnuTLS per host. Workaround pending patch: set CHUNKING_ADVERTISE_HOSTS = (empty) in exim4.conf to suppress the BDAT advertisement.