Title: Exim Security Advisory for EXIM-Security-2026-05-01.1 / CVE-TBD Announced: 2026-05-12 Reporter: federic.kirschbaum@xbow.com Affects: Exim 4.97 up to and including 4.99.2 Corrected: Exim 4.99.3 Exim Security Vulnerability: EXIM-Security-2026-05-01.1 ========================================================= Identifier: EXIM-Security-2026-05-01.1 (CVE to be assigned) Type: Remote Use-After-Free (UAF) Severity: [TO BE DETERMINED] Credit: federic.kirschbaum@xbow.com Timeline -------- 2026-05-01 17:29:41 UTC: Initial security report received from Federico Kirschbaum (XBOW Security). 2026-05-04 20:00:54 UTC: Federico Kirschbaum follows up, inquiring about the review of their submission. 2026-05-05 02:53:xx UTC: Exim maintainers (Heiko Schlittermann) acknowledge the report and confirm a fix is being prepared in private repositories. 2026-05-07 14:14:23 UTC: Reporter inquires about disclosure planning. Exim maintainers confirm coordinated release planning is underway. 2026-05-07 22:00:45 UTC: Announcement to distros@vs.openwall.org 2026-05-10 20:00:xx UTC: Restricted access to fixes provided for distributors. 2026-05-12 14:00:xx UTC: Public coordinated release of the fix and advisory. Vulnerability Summary --------------------- A remotely reachable memory corruption issue was discovered in Exim's GnuTLS backend. The vulnerability is triggered during BDAT message body handling when a client sends a TLS close_notify alert before the body transfer is complete, and then follows up with a final byte in cleartext on the same TCP connection. This sequence of events can cause Exim to write into a memory buffer that has already been freed during the TLS session teardown, leading to heap corruption. An attacker only needs to be able to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension. Affected Versions ----------------- - All Exim versions from 4.97 up to and including 4.99.2 are affected. - This vulnerability only impacts builds that use USE_GNUTLS=yes. Builds using OpenSSL or other TLS libraries are not affected. Mitigation ---------- - There is no known mitigation other than upgrading. Resolution ---------- The issue is resolved in Exim version **4.99.3**. All users of affected versions are strongly encouraged to upgrade as soon as possible. The fix ensures that the input processing stack is cleanly reset when a TLS close notification is received during an active BDAT transfer, preventing the stale pointers from being used. Downloads --------- The new version will be available from the usual locations upon release: - https://ftp.exim.org/pub/exim/exim4/ - https://code.exim.org/exim/exim/releases # Created by Gemini CLI on 2026-05-07 for Heiko Schlittermann (HS12-RIPE) # Rationale: Preparing the website security advisory based on the findings for issue #39, including timestamps and mail archiving.