## Overview
A critical use-after-free vulnerability has been discovered in **Exim**, one of the most widely deployed mail transfer agents on the internet.
## Technical Details
The flaw is triggered when a client sends a TLS `close_notify` mid-body during a **CHUNKING (BDAT)** transfer, followed by a final cleartext byte on the same TCP connection. This causes Exim to free its TLS transfer buffer while a nested BDAT receive wrapper continues processing incoming bytes — writing a single newline character into the freed region and **corrupting the allocator’s internal metadata**.
An unauthenticated remote attacker can exploit this heap corruption to achieve **remote code execution** on the mail server.
## Impact
– **No authentication required**
– **No user interaction required**
– Full system compromise (confidentiality, integrity, availability)
– CVSS v3.1: `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
## Affected Versions
Exim **< 4.99.3** when compiled with GnuTLS support (affects Exim 4.97+).
## Remediation
Upgrade Exim to **version 4.99.3 or later**. If an immediate upgrade is not possible, consider restricting inbound SMTP access at the network level as a temporary mitigation.
References: