Exim CVE-2026-45185: Critical Mail Server Patch Guide

Impact statement: CVE-2026-45185 is a critical Exim mail server vulnerability fixed in Exim 4.99.3. NVD rates it CVSS 9.8 Critical, with network reachability, no authentication required, and no user interaction required. The issue affects certain Exim builds that use GnuTLS, which makes it especially relevant to Linux mail servers, shared hosting nodes, cPanel/WHM fleets, Debian/Ubuntu hosts, and any server that accepts public SMTP traffic.

For hosting providers, this belongs in the same urgency bucket as a control-panel patch. Exim often sits on the same machines that host customer websites, cPanel accounts, webmail, forwarders, spam filtering, and outbound mail queues. Patch the mail stack, restart Exim cleanly, verify mail flow, and review logs.

Affected Versions

Public advisories list Exim versions before 4.99.3 as affected when built in certain GnuTLS configurations. Debian’s tracker describes the issue as present in Exim before 4.99.3. INCIBE lists affected Exim versions from 4.97 through 4.99.2. If you run Exim and public SMTP, treat anything older than 4.99.3 as needing immediate vendor review.

Check Exim Version And TLS Build

# Show Exim version and build details.
exim -bV

# Common cPanel path if exim is not in the shell path.
/usr/sbin/exim -bV

# Look for package source on Debian/Ubuntu.
apt-cache policy exim4 exim4-daemon-heavy exim4-daemon-light

# Look for package source on AlmaLinux/Rocky/RHEL/CloudLinux.
dnf info exim

Do not assume a server is safe just because it is behind a spam filter. If Exim accepts SMTP connections or is exposed through a hosting stack, confirm the package version and the vendor patch status.

Patch cPanel/WHM Servers

On cPanel/WHM, patch through cPanel’s package path so EasyApache, mail services, monitoring, and future updates stay aligned.

# Check current cPanel and Exim state.
/usr/local/cpanel/cpanel -V
/usr/sbin/exim -bV

# Pull current cPanel security packages.
/scripts/upcp --force
/scripts/check_cpanel_rpms --fix

# Restart Exim after patching.
/scripts/restartsrv_exim

# Verify after restart.
/usr/sbin/exim -bV
/scripts/restartsrv_exim --status

Patch Debian Or Ubuntu

# Refresh packages and inspect the available Exim build.
apt update
apt-cache policy exim4 exim4-daemon-heavy exim4-daemon-light

# Upgrade the Exim package used by the server.
apt install --only-upgrade exim4 exim4-daemon-heavy exim4-daemon-light

# Restart and verify.
systemctl restart exim4
systemctl status exim4 --no-pager
exim -bV

Patch AlmaLinux, Rocky, RHEL, Or CloudLinux

# Check package source.
dnf info exim

# Apply available vendor update.
dnf update exim

# Restart and verify.
systemctl restart exim
systemctl status exim --no-pager
exim -bV

For Plesk, DirectAdmin, Webmin/Virtualmin, and custom mail stacks, use the platform’s supported package source. If the panel owns Exim, patch through the panel path first.

Verify Mail Flow

• Send a test message outbound from a hosted domain.
• Receive a test message inbound to a hosted mailbox.
• Confirm local delivery, remote delivery, queue runner, spam filtering, DKIM signing, and TLS still work.
• Check that cPanel mail accounts, forwarders, autoresponders, and webmail still behave normally.
• Watch queue growth for at least one mail cycle after restart.

# Queue and service checks.
exim -bp | head -50
mailq | head -50

# cPanel log examples.
tail -n 200 /var/log/exim_mainlog
tail -n 100 /var/log/exim_paniclog 2>/dev/null
tail -n 100 /var/log/exim_rejectlog 2>/dev/null

What To Review

• Exim panic logs, reject logs, and main logs around patch time.
• Repeated Exim crashes, unexpected restarts, or mail queue spikes.
• SMTP authentication failures and unusual relay attempts.
• Recently changed mail routing, smarthost, spam filter, and TLS settings.
• Customer tickets about delayed mail after the patch window.

Customer Communication

Use plain wording: Exim released a critical security update, mail services may restart briefly, queued mail should continue processing after the restart, and the team is checking mail flow and logs. For self-managed servers, tell customers to update Exim through their operating system, cPanel, Plesk, DirectAdmin, or mail-platform vendor.

CDN And WAF Note

A web WAF cannot patch SMTP. The CDN side should still flag managed customers that expose mail administration panels publicly and notify the mail/server team to patch Exim. For edge mail filtering products, coordinate separately with the mail security platform owner.

Sources

• Exim security text for CVE-2026-45185
• Exim Security Advisory EXIM-Security-2026-05-01.1
• NVD: CVE-2026-45185
• Debian Security Tracker: CVE-2026-45185
• BleepingComputer coverage

Need help patching Exim on cPanel, Debian/Ubuntu, DirectAdmin, Plesk, or custom Linux mail servers? Open a ticket through Help4Network.com.