alt Hacker NewsDead.Letter (CVE-2026-45185) – How XBOW found an unauthenticated RCE on Exim
Comments
>What follows is, before anything else, a story. One of those old, well-worn ones.
Gag.
I've vouched no less than four reasonable comments under this post. Was there a mass flagging campaign?
I'm sorry but what the f is that timeline? (Condensed to relevant notifications:)
2025-05-01 - Vulnerability submitted to [email protected]
2026-05-08 - Exim maintainers notified the Distros
2026-05-10 - Restricted Access is provided for Distros
2026-05-12 - Public release and Coordinated distro Release
"I should retrain. Something with wood." is the appropriate German idiom for this, I guess.
Previously (2023): https://www.bleepingcomputer.com/news/security/millions-of-e...
Previously (2020): https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE...
Previously (2019): https://www.cvedetails.com/vulnerability-list/vendor_id-1091...
>The bug is a use-after-free triggered when a TLS connection is handled by GnuTLS
Color me surprised. The GNU ecosystem has had more than its fair share of CVEs over the years to the point that it's now a common trope:
https://soatok.blog/2020/07/08/gnu-a-heuristic-for-bad-crypt...
[flagged]
Never heard of Exim, I'm just realizing what it is:
> Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email.
what's the significance of this? do people use this in production systems?
It says coordinated distro release today, and I've received a notice earlier today but that does not include the CVE number. That's confusing / does not seem very coordinated to release 2 separate security update notices in a day.
https://lists.debian.org/debian-security-announce/2026/msg00...