XBOW discovered an unauthenticated remote code execution (RCE) vulnerability in Exim, a widely used mail transfer agent. The flaw, tracked as CVE-2026-45185, stems from a use-after-free in GnuTLS during TLS shutdown. Attackers can trigger the bug by exploiting a nested BDAT receive wrapper that writes a single byte to freed memory, corrupting allocator metadata. This allows further exploitation, despite the initial one-byte write appearing trivial.

The vulnerability resides in Exim's TLS handling code, where the 4096-byte transfer buffer is managed via store_malloc(). During TLS termination, GnuTLS frees the buffer, but a subsequent operation in the BDAT handler retains access, leading to the memory corruption. The exploit requires minimal server configuration, making it highly dangerous. This marks a significant escalation in Exim's vulnerability history, as similar flaws were previously limited to niche scenarios.

Exim's GnuTLS integration is central to the attack. The tls_server_start() function initializes the TLS session, while gnutls_bye() and gnutls_deinit() handle shutdown. The tls_ungetc() function, which processes input during shutdown, becomes the attack vector. The 4096-byte buffer is critical, as its size and management directly enable the exploit. This flaw underscores the risks of complex TLS implementations in legacy systems.

The discovery highlights the importance of rigorous memory safety practices. While XBOW's use of AI in exploit development is notable, the technical depth of the vulnerability itself is the real story. Debian-based systems, including Ubuntu 24.04 LTS, are at risk. Immediate patching is essential to mitigate potential RCE attacks.