alt Hacker NewsDead.Letter (CVE-2026-45185) – How XBOW found an unauthenticated RCE on Exim
Comments
Previously (2023): https://www.bleepingcomputer.com/news/security/millions-of-e...
Previously (2020): https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE...
Previously (2019): https://www.cvedetails.com/vulnerability-list/vendor_id-1091...
It says coordinated distro release today, and I've received a notice earlier today but that does not include the CVE number. That's confusing / does not seem very coordinated to release 2 separate security update notices in a day.
https://lists.debian.org/debian-security-announce/2026/msg00...
>The bug is a use-after-free triggered when a TLS connection is handled by GnuTLS
Color me surprised. The GNU ecosystem has had more than its fair share of CVEs over the years to the point that it's now a common trope:
https://soatok.blog/2020/07/08/gnu-a-heuristic-for-bad-crypt...
[flagged]
>What follows is, before anything else, a story. One of those old, well-worn ones.
Gag.