Kamailio
CVE-2025-12207
LOW
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in Kamailio 5.5. This affects the function yyerror_at of the file src/core/cfg.y of the component Grammar Rule Handler. Such manipulation leads to null pointer dereference. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The actual existence of this vulnerability is currently in question. This attack requires manipulating config files which might not be a realistic scenario in many cases. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Null pointer dereference in Kamailio 5.5.0's grammar rule handler (src/core/cfg.y, yyerror_at function) causes denial of service when processing malformed configuration files. Local authenticated attackers can trigger the vulnerability by manipulating config files, resulting in application crash. Publicly available exploit code exists, but exploitation requires local access and config file manipulation, limiting real-world attack surface. EPSS score of 0.03% indicates minimal exploitation probability despite disclosed POC.
Technical ContextAI
Kamailio is a SIP (Session Initiation Protocol) server and media proxy commonly deployed in VoIP infrastructure. The vulnerability exists in the configuration file parser (cfg.y), which is part of the core grammar rule handling system. The affected component (yyerror_at function) is invoked during config file parsing when syntax errors are encountered. CWE-404 (Improper Resource Validation) indicates the code fails to properly validate or check for null pointer conditions before dereferencing, a common issue in C-based parsers generated from yacc/bison specifications. The vulnerability is triggered during the initialization or reload phase when Kamailio reads its configuration file from disk.
RemediationAI
No vendor-released patch identified at time of analysis. Kamailio project did not respond to early disclosure. Recommended mitigations: (1) Restrict local file system access to Kamailio configuration directory using OS-level permissions - ensure only authorized administrators and the Kamailio process user can modify config files, reducing likelihood of malicious config injection. (2) Implement configuration file integrity monitoring (e.g., aide, osquery) to detect unauthorized changes and trigger alerts before reload. (3) Use immutable configuration delivery via read-only file systems or containerization where config is baked into image, preventing runtime modification. (4) If upgrading is feasible, test Kamailio 5.6+ or later versions, though fix status for this specific CVE is unconfirmed. (5) Monitor Kamailio process logs and syslog for config parsing errors that may indicate attack attempts. Organizations should prioritize this only if running Kamailio 5.5.0 in multi-tenant or hostile environments; default single-admin deployments face minimal risk.
Share
External POC / Exploit Code
Leaving vuln.today