CVE-2026-45185

NameCVE-2026-45185
DescriptionExim-Security-2026-05-01.1: TLS: on rxd close with CHUNKING active, clean the input processing stack
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4580-1, DSA-6265-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
exim4 (PTS)bullseye4.94.2-7+deb11u3vulnerable
bullseye (security)4.94.2-7+deb11u5fixed
bookworm4.96-15+deb12u7vulnerable
bookworm (security)4.96-15+deb12u9fixed
trixie4.98.2-1vulnerable
trixie (security)4.98.2-1+deb13u2fixed
forky4.99.2-1vulnerable
sid4.99.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
exim4sourcebullseye4.94.2-7+deb11u5DLA-4580-1
exim4sourcebookworm4.96-15+deb12u9DSA-6265-1
exim4sourcetrixie4.98.2-1+deb13u2DSA-6265-1
exim4source(unstable)4.99.2-2

Notes

https://code.exim.org/exim/exim/commit/040c1ce6889f435206677ed532c9a4185cf0bcaf
https://www.openwall.com/lists/oss-security/2026/05/12/4
https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/EXIM-Security-2026-05-01.1.txt
https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim
Search for package or bug name: Reporting problems