Dead.Letter (CVE-2026-45185) – How XBOW found an unauthenticated RCE on Exim
31 points
1 hour ago
| 5 comments
| xbow.com
| HN
fulafel
13 minutes ago
[-]
Previously (2023): https://www.bleepingcomputer.com/news/security/millions-of-e...

Previously (2020): https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE...

Previously (2019): https://www.cvedetails.com/vulnerability-list/vendor_id-1091...

reply
ofjcihen
1 hour ago
[-]
>What follows is, before anything else, a story. One of those old, well-worn ones.

Gag.

reply
kro
1 hour ago
[-]
It says coordinated distro release today, and I've received a notice earlier today but that does not include the CVE number. That's confusing / does not seem very coordinated to release 2 separate security update notices in a day.

https://lists.debian.org/debian-security-announce/2026/msg00...

reply
aftbit
1 hour ago
[-]
Ok now do postfix
reply
sys42590
50 minutes ago
[-]
Many years ago I used Exim because it was default for my distro of choice back then. But after a few emergency patchings caused by yet another RCE in Exim I learned that switching to Postfix massively improved my sleep quality.
reply
tptacek
38 minutes ago
[-]
There's a weird folk belief that Exim is a secure 2nd-generation MTA, but it's not; it's a 1st generation MTA, like Sendmail and Smail. The two "secure" 2nd generation MTAs are Postfix and qmail. You shouldn't use those either, really; there is no reason to run a memory-unsafe MTA, or, for that matter, an MTA that isn't backed by a real database.
reply
loloquwowndueo
16 minutes ago
[-]
Which one would you suggest using?

I’ve been looking at Stalwart to replace my old exim setup, wondering if it’s a reasonable choice.

reply
tptacek
8 minutes ago
[-]
If security is your concern, Stalwart seems like a fine option, almost certainly better than Postfix.
reply
kees99
1 hour ago
[-]
Nah, go straight for qmail. Give it your best try.
reply
rs_rs_rs_rs_rs
1 hour ago
[-]
The usable qmail got owned by AI already, the unusable one not yet!
reply
tptacek
51 minutes ago
[-]
Not by AI, but by humans awhile ago. I think Qualys weaponized a wontfix LP64 integer overflow in it just a couple years ago?
reply
rs_rs_rs_rs_rs
38 minutes ago
[-]
The Calif people found a nice bug in a qmail fork(what I consider usable qmail) some weeks ago.
reply
tptacek
35 minutes ago
[-]
Right, and that fork is the only version of qmail people still run, and the bug they found was extremely funny given Bernstein's original qmail design (it was, if I remember right, a popen(3) vulnerability --- something that never would have showed up in Bernstein's code, but that's what happens when code gets abandoned, it gets picked up by people who don't really understand it). But it's hard to charge that vulnerability against the original qmail design.

(I don't think anyone should run qmail.)

reply
stackghost
57 minutes ago
[-]
>The bug is a use-after-free triggered when a TLS connection is handled by GnuTLS

Color me surprised. The GNU ecosystem has had more than its fair share of CVEs over the years to the point that it's now a common trope:

https://soatok.blog/2020/07/08/gnu-a-heuristic-for-bad-crypt...

reply