Kamailio
CVE-2025-12205
LOW
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in Kamailio 5.5. The affected element is the function sr_push_yy_state of the file src/core/cfg.lex of the component Configuration File Handler. The manipulation results in use after free. The attack must be initiated from a local position. The exploit is now public and may be used. The real existence of this vulnerability is still doubted at the moment. This attack requires manipulating config files which might not be a realistic scenario in many cases. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Use-after-free vulnerability in Kamailio 5.5.0 configuration file parser allows local authenticated attackers to cause denial of service or memory corruption via malformed configuration files. The vulnerability exists in the sr_push_yy_state function within the lexical analyzer (cfg.lex) and has publicly available exploit code, though the vendor has not responded to disclosure and practical exploitability remains uncertain due to the requirement for direct configuration file manipulation.
Technical ContextAI
The vulnerability exists in Kamailio's configuration file parsing subsystem, specifically in the lexical analyzer (src/core/cfg.lex). The sr_push_yy_state function manages the parser's state stack during configuration file tokenization. The use-after-free condition (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) indicates that freed memory is being accessed during lexical analysis, likely when processing malformed configuration directives. This is a memory safety issue in C code without proper bounds checking or use-after-free protection. The affected product is Kamailio 5.5.0, as identified via CPE cpe:2.3:a:kamailio:kamailio:5.5.0:*:*:*:*:*:*:*.
RemediationAI
No vendor-released patch has been identified at time of analysis, as the Kamailio vendor did not respond to the disclosure. Users of Kamailio 5.5.0 should immediately apply the strictest available access controls to configuration files: restrict file permissions to the Kamailio process user and dedicated administrators only (chmod 0600 or similar), disable configuration reload functionality if not actively used, validate all configuration file changes through integrity monitoring tools (e.g., AIDE, Tripwire, or file system ACLs), and implement configuration file change logs to audit who and what modified parsing-related directives. For production systems, consider upgrading to the next stable release (5.6.x or later) once vendor patches are issued and tested. Temporary mitigation includes disabling dynamic configuration reloading if the vulnerable code path is only triggered during reload operations. However, these mitigations do not address the underlying memory safety issue and should be treated as temporary measures pending vendor patches. Users should subscribe to Kamailio security mailing lists or monitor GitHub releases for patch availability.
Share
External POC / Exploit Code
Leaving vuln.today