CVE-2026-49840
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| signalwire | freeswitch | < 1.11.1 | affected |
Weaknesses
- CWE-20: CWE-20: Improper Input Validation
- CWE-122: CWE-122: Heap-based Buffer Overflow
- CWE-195: CWE-195: Signed to Unsigned Conversion Error
- CWE-787: CWE-787: Out-of-bounds Write
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/signalwire/freeswitch/security/advisories/GHSA-g597-9fgg-ghg9
- https://github.com/signalwire/freeswitch/releases/tag/v1.11.1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.