Researchers at XBOW disclosed a critical vulnerability in Exim, nicknamed Dead.Letter and tracked as CVE-2026-45185, that lets an unauthenticated attacker execute arbitrary code on a mail server by sending a single stray byte at exactly the right moment during a TLS handshake. Exim is one of the internet’s most widely deployed open-source mail transfer agents and the default MTA shipped on Debian, Ubuntu, and other Debian-derived Linux distributions. The vulnerability carries a CVSS score of 9.8, requires no credentials and no user interaction, and was fixed in Exim 4.99.3 on May 12, 2026. Every conversation about DMARC assumes the infrastructure sending your mail is under your control. This bug is a reminder that assumption has to be earned through patching, not taken for granted.
How the Bug Works
The flaw lives in how Exim parses message bodies sent using the BDAT command, part of the CHUNKING extension to SMTP, when the connection’s TLS is handled by GnuTLS. During a normal TLS shutdown, Exim frees the buffer it used to hold incoming TLS data. The problem is that a nested BDAT receive routine can still be mid-flight when that happens, and it goes on to call a function that writes one character, a single newline, into the memory that was just freed. That one-byte write lands on the heap allocator’s own internal bookkeeping data, corrupting it in a way that gives an attacker a foothold to build a more complete exploit from. To trigger it, an attacker only needs to open a TLS connection to the server, start a BDAT message transfer, send a TLS close_notify alert before the transfer finishes, and follow it with one more byte in cleartext on the same TCP connection. Every piece of that sequence, TLS connections and the CHUNKING extension, is enabled by default on most internet-facing Exim installs.
Who Is Exposed
The vulnerability affects Exim versions 4.97 through 4.99.2, but only builds compiled with USE_GNUTLS=yes. Installations that link against OpenSSL instead of GnuTLS are not vulnerable to this specific path. That distinction concentrates the real-world exposure on Debian, Ubuntu, and other distributions that package Exim with GnuTLS as the default TLS backend, which describes a large share of the small and mid-sized organizations running their own outbound mail server rather than a managed platform. Exim 4.99.3, released May 12, 2026, resets the input processing stack when a close_notify alert arrives during an active BDAT transfer, which closes the specific timing window this bug depends on.
Why This Matters for DMARC
DMARC, SPF, and DKIM all rest on one shared assumption: that the servers listed in your SPF record and holding your DKIM private keys are operated only by people your organization trusts. An unauthenticated remote code execution bug in the mail server itself breaks that assumption at its foundation, not at its edges. A phishing kit or a compromised employee account still has to work around DMARC from outside your infrastructure. An attacker who lands code execution on your Exim box through Dead.Letter is not working around anything. They are inside the infrastructure your SPF record already authorizes and next to the DKIM keys your domain already trusts. Mail sent from that box after a successful exploit carries a real DKIM signature, originates from an IP address your own SPF record permits, and passes DMARC alignment cleanly at any recipient checking it, because by every technical measure DMARC applies, that mail really did come from your authorized infrastructure. The compromise happened one layer below where DMARC ever looks.
What Defenders Should Do
Patch to Exim 4.99.3 immediately. A CVSS 9.8 bug requiring no authentication and no user interaction, in software that directly faces the internet by design, should be treated as an emergency change, not a routine maintenance window.
Check whether your build actually uses GnuTLS. Running exim -bV shows the compile-time options, including which TLS library was used. Debian and Ubuntu deployments should assume they are affected until that command proves otherwise.
Watch for unexplained Exim crashes as a leading indicator. A use-after-free exploit attempt frequently crashes the target process before an attacker refines it into reliable code execution. A spike in Exim restarts or segfaults tied to SMTP sessions is worth investigating even if nothing else looks wrong yet.
Audit DKIM key integrity after patching. If your mail server was internet-facing and unpatched during the exposure window, confirm your DKIM private keys were not accessed or replaced, and rotate them if there is any doubt.
The Takeaway
DMARC enforcement protects the claim that a message came from infrastructure your domain owner authorized. That protection only means something if the infrastructure itself has not been quietly handed to someone else. Dead.Letter is a reminder that keeping your mail transfer agent patched is not a separate item on the checklist next to DMARC, SPF, and DKIM. It is the precondition that makes all three of those protocols worth having in the first place.
Excello Mail gives you continuous visibility into your DMARC aggregate reports and every source authorized to send as your domain, so unexpected mail from your own infrastructure is easier to catch fast. Sign up for free to Excello Mail to keep that visibility in place while your team keeps Exim, Postfix, or whatever runs your outbound mail patched and current.