Dead.Letter (CVE-2026-45185) – How XBOW found an unauthenticated RCE on Exim
fedek_
66 points
39 comments
May 12, 2026
Related Discussions
Found 5 related stories in 73.9ms across 8,303 title embeddings via pgvector HNSW
- CVE-2026-42511 Breakdown: RCE in FreeBSD mmsc · 14 pts · May 07, 2026 · 59% similar
- Claude wrote a full FreeBSD remote kernel RCE with root shell ishqdehlvi · 258 pts · April 01, 2026 · 52% similar
- "Dirty Frag" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days ggallas · 31 pts · May 09, 2026 · 50% similar
- OpenClaw privilege escalation vulnerability kykeonaut · 303 pts · April 03, 2026 · 50% similar
- Nginx Rift: RCE via heap buffer overflow in rewrite module (CVE-2026-42945) andreamichi · 11 pts · May 13, 2026 · 50% similar
Discussion Highlights (9 comments)
aftbit
Ok now do postfix
ofjcihen
>What follows is, before anything else, a story. One of those old, well-worn ones. Gag.
kro
It says coordinated distro release today, and I've received a notice earlier today but that does not include the CVE number. That's confusing / does not seem very coordinated to release 2 separate security update notices in a day. https://lists.debian.org/debian-security-announce/2026/msg00...
stackghost
>The bug is a use-after-free triggered when a TLS connection is handled by GnuTLS Color me surprised. The GNU ecosystem has had more than its fair share of CVEs over the years to the point that it's now a common trope: https://soatok.blog/2020/07/08/gnu-a-heuristic-for-bad-crypt...
fulafel
Previously (2023): https://www.bleepingcomputer.com/news/security/millions-of-e... Previously (2020): https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE... Previously (2019): https://www.cvedetails.com/vulnerability-list/vendor_id-1091...
nhattruongadm
The finding method is almost as interesting as the bug itself. XBOW is an AI-based offensive security tool, and UAF bugs at library integration points are exactly the kind of thing that slips past human code review — reviewers focus on protocol logic, not on what happens to object lifetimes when a TLS session tears down mid-flight in an error path. There's a pattern here worth noting: the riskiest attack surfaces in complex C software often aren't in the core logic but at integration boundaries — where one component (Exim) makes assumptions about object lifecycles managed by another (GnuTLS). Those boundaries require simultaneous deep familiarity with both codebases, which is cognitively expensive for humans but maps well to automated analysis. This is also why "use a well-audited TLS library" doesn't fully transfer safety — you inherit the library's correctness guarantees only for the paths the library authors tested, not for how you call it under load or error conditions.
eqvinox
I'm sorry but what the f is that timeline? (Condensed to relevant notifications:) 2025-05-01 - Vulnerability submitted to security@exim.org 2026-05-08 - Exim maintainers notified the Distros 2026-05-10 - Restricted Access is provided for Distros 2026-05-12 - Public release and Coordinated distro Release 4 (2 really) days for distros, and then nothing, zero, zilch, nada between "Coordinated distro Release" and "Public release"? "I should retrain. Something with wood." is the appropriate German idiom for this, I guess.
alpb
Never heard of Exim, I'm just realizing what it is: > Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email. what's the significance of this? do people use this in production systems?
tardedmeme
I've vouched no less than four reasonable comments under this post. Was there a mass flagging campaign?