Bleeping Computer reports that a critical vulnerability, identified as CVE-2026-45185, has been discovered in certain configurations of the Exim open-source mail transfer agent. This flaw could allow an unauthenticated remote attacker to execute arbitrary code on affected servers.The vulnerability, a user-after-free flaw, occurs during the TLS shutdown process when handling chunked SMTP traffic. It impacts Exim versions prior to 4.99.3 that use the default GnuTLS library and have STARTTLS and CHUNKING enabled. OpenSSL-based builds are not affected. Attackers could exploit this to run commands, access sensitive email data, and potentially pivot to other parts of the network. The vulnerability was discovered by XBOW researcher Federico Kirschbaum and a fix was released in Exim version 4.99.3.The development of a proof-of-concept exploit involved an AI system and a human researcher, highlighting the evolving landscape of vulnerability research. Users of Debian and Ubuntu-based Linux distributions are urged to update their Exim installations to the latest version to mitigate this risk.Source: Bleeping Computer
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds