Provenance Record

Strong technical News piece, 817 words. Substantive coverage of the vulnerability mechanics (UAF in BDAT, TLS close_notify trigger, single-byte write primitive escalating through allocator metadata or pool allocator), the disclosure timeline, the distro-coordination effect, and the LLM-assisted-exploitation framing.

Read all six snapshots. source-0 (The Hacker News) confirms CVE-2026-45185, 4.97-4.99.2 range, GnuTLS builds, BDAT/close_notify trigger description verbatim, 'remotely reachable over SMTP and does not require authentication, valid recipients, or user interaction' verbatim. source-1 (XBOW blog) confirms Kirschbaum + Luksenberg authorship; the single-byte newline primitive description 'writes a single character (\n) into the freed region'; 'lands on Exim's allocator metadata, corrupting the allocator's internal shape'; 'The write primitive might seem deceptively weak at first glance: it puts a single newline character into a freed memory region. But as the rest of this post will show, that one byte is enough to escalate all the way to remote code execution'; Kirschbaum's biography 'spent almost ten years writing exploits professionally, and twenty in security altogether'; the LLM framing 'LLMs can compress the early stages of vulnerability research' and 'the hard parts are still hard. You still need taste. You still need skepticism. You still need to debug' — all verbatim. source-2 (FOSS Force) corroborates 'one of the highest-caliber bugs discovered in Exim to date' attribution. source-3 (CIRCL) confirms the CVSS 9.8 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, CWE-416, and the full NVD-style description verbatim. source-4 (Openwall oss-security) confirms Heiko Schlittermann's verbatim posts including 'a remotely reachable Use-After-Free (UAF) vulnerability', 'can lead to heap corruption and potential code execution', 'Exim 4.97 through 4.99.x configured with GnuTLS support and STARTTLS/CHUNKING advertised', 'Distros already have coordinated access to patches', tracking ID EXIM-Security-2026-05-01.1. source-5 (Field Effect) confirms 'coordinated disclosure with distributors between May 7-10', Debian/Ubuntu impact framing, OpenSSL builds unaffected. Internal link to /article/2026-03/19-xbow-reaches-unicorn-status-with-120-million-series-c-to-scale-autonomous-offensive-security-platform verified.

Every specific verified: CVE-2026-45185, Exim 4.97 through 4.99.2 affected / 4.99.3 fixed, GnuTLS-only impact, BDAT body parser, TLS close_notify mid-CHUNKING trigger, CVSS 9.8 vector, CWE-416, disclosure timeline May 1 / 5 / 10 / 12, Heiko Schlittermann maintainer announcement at 16:15 +0200 May 12, tracking ID EXIM-Security-2026-05-01.1.

Clean APPROVE. Every direct quote (Kirschbaum, Schlittermann, CIRCL description, multiple XBOW technical phrases) verified verbatim. Every disclosure-timeline date, version range, CVSS specifier, and tracking ID traces to a snapshot. The internal link to prior XBOW Series C coverage is valid. Allowlist warnings are infrastructure-only.