CVE-2026-45185
Publication date 12 May 2026
Last updated 6 June 2026
Ubuntu priority
Description
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
Read the notes from the security team
Why is this CVE high priority?
This results in remote code execution
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| exim4 | 26.04 LTS resolute |
Fixed 4.99.1-1ubuntu1.2
|
| 25.10 questing |
Fixed 4.98.2-1ubuntu2.2
|
|
| 24.04 LTS noble |
Fixed 4.97-4ubuntu4.5
|
|
| 22.04 LTS jammy |
Fixed 4.95-4ubuntu2.8
|
|
| 20.04 LTS focal |
Fixed 4.93-13ubuntu1.12+esm1
|
|
| 18.04 LTS bionic | Ignored changes too intrusive | |
| 16.04 LTS xenial | Ignored end of ESM support, was needs-triage | |
| 14.04 LTS trusty | Ignored changes too intrusive |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
mdeslaur
This was fixed by USN-8270-1, but at the time of publication, the CVE number had not been assigned yet.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-8382-1
- Exim vulnerabilities
- 3 June 2026