The Vulnerability Explained
A recently uncovered security flaw in the Exim mail transfer agent involves the interaction between the BDAT (Binary Data to ASCII) chunking mechanism and the GnuTLS cryptographic library. This vulnerability can be exploited by an unauthenticated remote attacker to trigger a buffer overflow condition. By sending a specially crafted sequence of BDAT chunks, the attacker can corrupt memory, ultimately leading to arbitrary code execution on the targeted Exim server.
The issue lies in how Exim handles BDAT messages when using TLS encryption via GnuTLS. The improper validation of message sizes during the chunked transfer process allows the attacker to write data beyond the allocated buffer boundaries. This type of memory corruption bug is particularly dangerous because it can be leveraged to bypass security controls and gain full control of the mail server without requiring any prior authentication.
Impact and Scope
This vulnerability affects all versions of Exim that support the BDAT extension when compiled with GnuTLS. Given that Exim is the default mail transfer agent on many Linux distributions, the potential attack surface is substantial. Administrators running Exim with GnuTLS are strongly advised to apply patches immediately to prevent exploitation.
At the time of writing, the Exim development team has released a security update to address this flaw. Users should update to the latest patched version or apply the provided workarounds. There are no known in-the-wild exploits reported yet, but the technical details could allow threat actors to develop weaponized code quickly. For full technical details, refer to the official advisories for CVE-2025-2952 and CVE-2025-3051 at cve.org.
Source: Cyber Security News
