Skip to main content

Verizon VoLTE CVE-2026-10629

| EUVDEUVD-2026-33945 HIGH
2026-06-02 certcc GHSA-8pfq-65f4-r264
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

8
Analysis Updated
Jun 03, 2026 - 16:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 03, 2026 - 16:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
Jun 03, 2026 - 16:22 NVD
CRITICAL HIGH
CVSS changed
Jun 03, 2026 - 16:22 NVD
9.1 (CRITICAL) 7.4 (HIGH)
Analysis Generated
Jun 02, 2026 - 20:25 vuln.today
CVSS changed
Jun 02, 2026 - 20:22 NVD
9.1 (CRITICAL)
CVE Published
Jun 02, 2026 - 14:35 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

SIP signaling stack in Verizon IMS (unspecified version) implements SIP signaling without IPsec integrity protection (missing Security-Client/Security-Server headers and ESP traffic), which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via passive monitoring and active manipulation of unsecured SIP messages over the radio and core network.

AnalysisAI

Cleartext SIP signaling in Verizon's VoLTE/IMS infrastructure allows an on-path attacker positioned on the radio or core network to intercept and tamper with VoIP call signaling because IPsec integrity protection (Security-Client/Security-Server headers and ESP-protected traffic) is not enforced. The flaw, reported by CERT/CC and tracked as EUVD-2026-33945, affects an unspecified Verizon IMS deployment and enables disclosure of call metadata, caller identity spoofing, and signaling manipulation. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.01%.

Technical ContextAI

VoLTE (Voice over LTE) relies on the IMS (IP Multimedia Subsystem) architecture, where SIP messages between the User Equipment (UE) and the P-CSCF (Proxy Call Session Control Function) are required by 3GPP TS 33.203 to be protected by IPsec ESP in transport mode, negotiated via Security-Client and Security-Server SIP headers during registration. In Verizon's affected IMS deployment (CPE cpe:2.3:a:verizon:volte) these protections are absent, so SIP REGISTER, INVITE, and related messages traverse the radio and core network without confidentiality or integrity protection. Although no CWE is assigned, the root cause aligns with CWE-319 (Cleartext Transmission of Sensitive Information) and CWE-300 (Channel Accessible by Non-Endpoint / man-in-the-middle exposure), as referenced in the 3GPP TS 33.203 specification cited in the advisory.

RemediationAI

No vendor-released patch identified at time of analysis; this is a carrier-side configuration and infrastructure issue that subscribers cannot directly remediate, so the primary action is for Verizon to enable 3GPP TS 33.203-compliant IMS access security - negotiating Security-Client/Security-Server headers during SIP REGISTER and enforcing IPsec ESP between the UE and P-CSCF - and customers should monitor the CERT/CC Vulnerability Note at https://www.kb.cert.org/vuls/id/615987 for vendor guidance. Until carrier-side fixes are confirmed, organizations handling sensitive voice traffic on Verizon VoLTE should consider compensating controls such as routing high-sensitivity calls over end-to-end encrypted OTT voice apps (Signal, WhatsApp) which terminate above the SIP layer - trade-off: loses PSTN reachability and number-based identity; disabling VoLTE on managed devices and forcing fallback to legacy CS voice where supported - trade-off: degraded audio quality, no VoLTE-only features, and the legacy radio stack has its own well-known weaknesses; and restricting use of VoLTE on devices that may transit untrusted radio environments (e.g., near suspected IMSI catchers or rogue small cells) - trade-off: operational inconvenience but reduces on-path exposure.

Share

CVE-2026-10629 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy