Dead.Letter (CVE-2026-45185) Unauthenticated RCE in Exim via...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim
• Blog Title: Dead.Letter (CVE-2026-45185): Unauthenticated RCE in Exim via GnuTLS STARTTLS and BDAT Use-After-Free
• Suggested Section: Network Services Pentesting > 25,465,587 - Pentesting SMTP/s > Exim STARTTLS/BDAT GnuTLS UAF RCE, with possible cross-reference to Binary Exploitation > Use After Free

🎯 Content Summary

Dead.Letter / CVE-2026-45185 is a critical unauthenticated remote code execution vulnerability in Exim 4.97 as shipped in Debian-based default installations, including Ubuntu 24.04 LTS, when TLS is handled by GnuTLS. The bug is a use-after-free caused by an unsafe interaction between STARTTLS, BDAT chunking, TLS shutdown, Exim receive-callback stacking, and Exim/glibc allocation behavior. Triggering the bug requires almost no special s...

🔧 Technical Details

Stale stacked-callback exploitation: Protocol parsers that implement modal sub-protocols by stacking callback tables can become vulnerable if teardown code only resets the top-level callbacks. In this case, BDAT saves the active TLS callbacks into lwr_receive_*, then TLS shutdown resets only receive_* to cleartext SMTP callbacks. The saved lower row still points to tls_getc, tls_getbuf, and tls_ungetc, so later BDAT operations can invoke code belonging to a destroyed TLS layer.

One-byte UAF through parser repair logic: A parser line-ending repair path can become a write primitive if it calls ungetc() after the underlying buffer has been freed. Here, BDAT EOD handling repairs incomplete CR/LF state with bdat_ungetc('\n') or bdat_ungetc('\r'). Because bdat_ungetc() delegates to stale lwr_receive_ungetc, it reaches tls_ungetc()🤖 Agent Actions

Done.

Updated:

• src/network-services-pentesting/pentesting-smtp/README.md

What I added:

• A concise Exim STARTTLS + BDAT callback desync (GnuTLS UAF) section
• Focus on the reusable technique, not the CVE details:
  • stale stacked callback rows
  • TLS EOF to cleartext fallback
  • parser repair path (ungetc) becoming a 1-byte UAF write
  • heap-shaping window via mail-processing features
• Internal cross-reference to the existing UAF page
• References to:
  • XBOW blog
  • RFC 3030

Why this location:

• The technique is most actionable from the SMTP/Exim attack-surface perspective.
• It fits better in the SMTP methodology than in a standalone binary-exploitation page.
• No duplicate content was found in existing SMTP or UAF pages.

Validation:

• Re-read the modified section and checked the diff.
• mdbook build could not be run here because mdbook is not installed in the environment.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting > 25,465,587 - Pentesting SMTP/s > Exim STARTTLS/BDAT GnuTLS UAF RCE, with possible cross-reference to Binary Exploitation > Use After Free".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0