CVE-2026-45185
Publication date 12 May 2026
Last updated 21 May 2026
Ubuntu priority
Description
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
Read the notes from the security team
Why is this CVE high priority?
This results in remote code execution
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| exim4 | 26.04 LTS resolute |
Fixed 4.99.1-1ubuntu1.2
|
| 25.10 questing |
Fixed 4.98.2-1ubuntu2.2
|
|
| 24.04 LTS noble |
Fixed 4.97-4ubuntu4.5
|
|
| 22.04 LTS jammy |
Fixed 4.95-4ubuntu2.8
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Notes
mdeslaur
This was fixed by USN-8270-1, but at the time of publication, the CVE number had not been assigned yet.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |