XBOW found CVE-2026-45185, a use-after-free in Exim’s GnuTLS path enabling unauthenticated RCE, then raced humans against autonomous exploit development during the disclosure window.
Key Takeaways
The bug is a use-after-free in Exim’s GnuTLS TLS shutdown path: a BDAT receive wrapper calls ungetc() writing a single into a freed xfer_buffer, corrupting allocator metadata.
Exploitation requires nearly no special server configuration, making it broadly dangerous across Debian-based and Ubuntu 24.04 LTS default installs where GnuTLS is the default TLS library.
One-byte write primitive is enough to escalate to full RCE by leveraging corrupted allocator internals for further memory primitives.
The BDAT chunking stack (bdat_push_receive_functions / bdat_pop_receive_functions) is the structural enabler: it saves and restores TLS receive callbacks in a way that creates the dangling reference.
XBOW used the disclosure window as a live benchmark comparing human vs. LLM autonomous exploit development on a real critical vulnerability.
Hacker News Comment Review
Discussion is minimal and sarcastic; commenters are not engaging with the technical depth and instead reacting to the literary framing of the writeup.
There is light competitive banter about which MTA should be targeted next (Postfix, then qmail), suggesting researchers see this as a repeatable offensive research template.
