PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45185 cPanel CVE debrief

CVE-2026-45185, also called Dead.Letter, is described as a use-after-free in Exim BDAT message body parsing when TLS is handled by GnuTLS. cPanel’s official advisory states its Exim build does not set USE_GNUTLS, depends on OpenSSL instead, and is not affected.

Vendor
cPanel
Product
cPanel/WHM
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-15
Advisory published
2026-05-12
Advisory updated
2026-05-15

Who should care

cPanel/WHM administrators, Exim maintainers, and operators of environments that may build or package Exim with GnuTLS support. For standard cPanel/WHM systems, the vendor says this issue does not apply.

Technical summary

The vendor describes the flaw as a use-after-free in Exim’s binary data transmission (BDAT) message body parsing, triggered in the GnuTLS TLS path. cPanel says its Exim builds do not explicitly enable USE_GNUTLS and use OpenSSL, so the affected code path is not present in their builds.

Defensive priority

Low for standard cPanel/WHM installations; no immediate remediation is needed based on the vendor advisory.

Recommended defensive actions

  • No immediate action is required for standard cPanel/WHM systems, per the vendor advisory.
  • If you maintain custom Exim builds, verify whether USE_GNUTLS is enabled and whether your TLS stack matches the affected GnuTLS path.
  • Track the official cPanel advisory and the CVE record for any future updates or scope changes.

Evidence notes

This debrief is based on the cPanel official security article for CVE-2026-45185, published 2026-05-12 and updated 2026-05-15, which states cPanel builds use OpenSSL and are not affected. The CVE record and NVD detail are linked as official references, but the impact assessment here follows the vendor’s stated scope.

Official resources

Vendor official advisory published 2026-05-12 and updated 2026-05-15; cPanel states there is no impact on its builds.