Hello, The Exim maintainers are releasing an important security update to address a critical vulnerability affecting certain Exim configurations.
Vulnerability Details A remotely reachable Use-After-Free (UAF) vulnerability has been identified in Exim's BDAT (binary data transmission) body parsing path when using the GnuTLS backend. This vulnerability can lead to heap corruption and potential code execution. Affected Versions and Configurations This vulnerability affects Exim versions 4.97 through 4.99.x that: - Are built with GnuTLS support - Have STARTTLS and CHUNKING advertised Recommended Action We strongly recommend all affected users upgrade to Exim 4.99.3 or later immediately. Obtaining the Fix Fixed versions are available: - Repository: https://code.exim.org/exim-/exim (branch: exim-4.99+fixes, tag: exim-4.99.3) (signed by me) - Tarballs: https://downloads.exim.org/exim4/ (signed by me) - Please see the Exim website for detailed upgrade instructions Additional Information - Distros already have coordinated access to patches - Internal tracking ID: EXIM-Security-2026-05-01.1 - Full technical details will be available: https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/ Thank you for your cooperation. And special thanks to the reporter at xbow security. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) fon +49.351.8029981 - gnupg encrypted messages are welcome --------------- key ID: F69376CE -
signature.asc
Description: PGP signature
