First AI-Developed Zero-Day Used in the Wild: CVE-2026-45185 Exim Exploit

Google disclosed on May 13, 2026 that a threat actor used artificial intelligence to discover and weaponize a previously unknown vulnerability in Exim mail servers — the first confirmed use of AI to develop a zero-day exploit deployed in real attacks. The vulnerability, CVE-2026-45185 (nicknamed "Dead.Letter"), is a use-after-free in Exim's BDAT message parsing when compiled with GnuTLS. An attacker who can send email to an affected server can trigger the bug for remote code execution. Google's Threat Intelligence Group identified the exploit in active campaigns before the vulnerability was known or patched.

The reason this disclosure matters beyond one CVE: it confirms that the AI-powered attack capability that security researchers have been warning about for two years is now operational in the hands of real threat actors. The defenders' AI arms race just got real on both sides.

What CVE-2026-45185 Is

CVE-2026-45185 is a use-after-free vulnerability in Exim's handling of BDAT (Binary Data) SMTP commands when Exim is compiled with GnuTLS support.

The BDAT command is an SMTP extension (RFC 3030) for sending large binary email messages efficiently. In Exim's GnuTLS code path, a TLS session teardown that occurs mid-BDAT transaction can cause a memory reference to be held past the point where the underlying buffer is freed. The freed memory can be reallocated by a subsequent allocation, and under specific timing conditions, the reference is used after the reallocation — a classic use-after-free pattern.

Exploitation: an attacker sends a crafted BDAT sequence that triggers the TLS teardown at the vulnerable point in the transaction. With a controlled heap layout (achievable through prior SMTP session setup), the freed memory is filled with attacker-controlled content before the use-after-free dereference. The result is arbitrary code execution in the context of the Exim process — typically running as a low-privilege mail user, but sufficient for privilege escalation to root via secondary vulnerabilities or misconfigurations.

The attack requires the ability to initiate an SMTP connection to the target server — meaning the attacker either has an IP that the server accepts email from, or the server accepts email from any source (most public Exim deployments do).

Exim runs approximately 59% of publicly accessible mail transfer agents on the internet. The blast radius of an exploitable Exim vulnerability is enormous.

What Makes This Different: AI-Assisted Discovery

Google's Threat Intelligence Group (GTIG) identified the campaign and traced the exploit back to evidence that the vulnerability was discovered using AI-assisted analysis rather than conventional manual fuzzing or code review.

The evidence cited in the GTIG report:

Novel vulnerability class: CVE-2026-45185 exploits a specific interaction between Exim's BDAT handler and GnuTLS's session lifecycle callbacks. This interaction requires understanding the control flow across two codebases (Exim and GnuTLS) simultaneously — a cross-library temporal vulnerability that is extremely difficult to discover through standard single-codebase fuzzing. AI systems that can reason about multi-codebase interactions are well-suited to this class of discovery.

Exploit precision: The exploit works on the first attempt against hardened targets with ASLR and PIE enabled. Manual exploit development for use-after-free bugs typically requires multiple attempts and environmental characterisation. The precision of the observed exploit suggests automated testing and refinement — the kind of iteration loop that AI can run at speed that human researchers cannot match.

Variant generation: GTIG observed that the attacker had also developed a variant targeting Exim with OpenSSL rather than GnuTLS. The GnuTLS and OpenSSL TLS session lifecycle APIs are different enough that the variant is not a trivial port — it requires re-analysis of the vulnerable code path in the OpenSSL context. Generating two variants at similar quality levels suggests automated analysis of both code paths rather than manual development.

The GTIG report stops short of attributing this to a specific nation-state group or naming the AI tool used. The assessment is that the capability is now at a level of sophistication associated with advanced persistent threat actors rather than script kiddies — and that AI lowered the development cost to a point where the barrier to this capability has dropped significantly.

Who Is at Risk

Any internet-accessible Exim server compiled with GnuTLS and accepting inbound email from arbitrary senders. The practical scope:

• Exim market share: ~59% of publicly accessible MTAs
• GnuTLS Exim builds: Common on Debian-based Linux distributions (Debian, Ubuntu) which default to GnuTLS-linked Exim builds; OpenSSL-linked Exim builds (common on Red Hat-based distributions) are affected by the variant
• Affected Exim versions: 4.96 through 4.97.2 (current release at time of disclosure); patch not yet available at disclosure

As of May 13, Exim has not released a patched version. The disclosure was coordinated with Exim's development team, and a patch is expected within 72-96 hours. This is the most dangerous window — vulnerability known, patch not yet available.

Mitigation Before the Patch

Until a patched Exim version is available, the mitigations available:

Disable BDAT: The SMTP BDAT command can be disabled in Exim configuration by removing BDAT from the advertise_esmtp_code settings or configuring ACLs to reject BDAT transactions. Most mail clients fall back to DATA (the standard non-binary mail transfer command) when BDAT is rejected. Disabling BDAT removes the vulnerable code path entirely.

Restrict inbound SMTP: If your Exim deployment only needs to receive email from specific IP ranges (e.g., an internal mail relay rather than a public MX), restrict inbound SMTP to those IPs via firewall rules. This limits who can send the crafted BDAT sequence.

Update to patched version as soon as available: Watch the Exim project's GitHub and security mailing list. The patch is expected within 96 hours of this disclosure.

Monitor for exploitation indicators: In Exim logs, look for BDAT transactions immediately followed by TLS teardown errors in the same session — unusual SMTP sessions that fail mid-transfer with GnuTLS error codes. This is the fingerprint of the observed exploit attempts.

What This Means for the AI Security Landscape

OpenAI's Daybreak platform (announced this week) and Anthropic's Claude Mythos are explicitly designed as AI-powered defensive tools — finding vulnerabilities before attackers do. CVE-2026-45185 is the first public evidence that offensive AI capability has caught up.

The arms race framing: AI finds vulnerabilities faster and at lower cost than human researchers. When defensive AI and offensive AI both have access to the same codebase, the question is which system is better at reasoning about multi-codebase interactions, prioritising high-value targets, and generating reliable exploits. There is no reason to assume defenders have a structural advantage.

The specific challenge CVE-2026-45185 illustrates is cross-library vulnerability discovery — bugs that exist at the interaction boundary between two codebases. Most traditional vulnerability scanning tools (fuzzers, static analysers) are single-codebase tools. AI systems that can load and reason about multiple codebases simultaneously are better suited to this class than any prior defensive tool. But the same capability is equally available to attackers.

The implication for organisations: treating AI-assisted offensive capability as a future threat is now wrong. It is a present threat. The patching and monitoring practices appropriate for human-discovered vulnerabilities are equally necessary for AI-discovered ones — but the speed of discovery and exploitation will be faster than the historical baseline suggests.

Key Takeaways

• CVE-2026-45185 "Dead.Letter": Use-after-free in Exim BDAT handler + GnuTLS session lifecycle; remote code execution from SMTP; affects Exim 4.96-4.97.2; no patch as of May 13 — expected within 96 hours
• First AI-developed zero-day in wild: Google Threat Intelligence Group confirmed AI was used to discover and weaponize this vulnerability; evidence from cross-library analysis precision, first-attempt exploit reliability, and GnuTLS/OpenSSL variant pair
• Blast radius: ~59% of publicly accessible mail servers run Exim; GnuTLS builds (Debian/Ubuntu default) directly affected; OpenSSL variant also developed
• Mitigation now: Disable BDAT in Exim config (removes vulnerable path, most clients fall back to DATA automatically); restrict inbound SMTP to known IPs if possible; patch the moment it's available
• Arms race confirmed: Offensive AI capability (cross-library vulnerability discovery, automated exploit refinement, variant generation) is now operational in real attacks — the defensive AI tools launched this week (OpenAI Daybreak, Anthropic Claude Mythos) are directly competing with this capability
• Detection pattern: Look for BDAT transactions with immediate GnuTLS teardown errors in same session — the exploit fingerprint in Exim logs

For the OpenAI Daybreak platform explicitly designed to find these vulnerabilities before attackers, read OpenAI Daybreak: GPT-5.5-Cyber and Codex Security vs. Claude Mythos. For the BeyondTrust PAM breach with 10,600 exposed instances, read CVE-2026-1731: BeyondTrust Pre-Auth RCE.