Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, a STUN packet whose declared attribute length is shorter than the structure the parser casts to causes the parser to read and write past the end of the attribute, producing an out-of-bounds memory access on the per-leg media buffer. This issue has been patched in version 1.11.0.
AnalysisAI
Out-of-bounds memory access in FreeSWITCH versions prior to 1.11.0 allows remote unauthenticated attackers to crash the telephony stack by sending a malformed STUN packet whose declared attribute length is smaller than the structure the parser casts it to. No public exploit has been identified at time of analysis, but the network-reachable nature of STUN on media-handling deployments makes this a denial-of-service risk for any exposed FreeSWITCH instance handling WebRTC or NAT-traversal traffic.
Technical ContextAI
FreeSWITCH is an open-source Software Defined Telecom Stack maintained by SignalWire (cpe:2.3:a:signalwire:freeswitch) that handles SIP, WebRTC, and media routing. STUN (Session Traversal Utilities for NAT, RFC 5389) is used to discover NAT mappings during ICE candidate negotiation for media sessions. The flaw maps to CWE-20 (Improper Input Validation): the STUN attribute parser trusts the attribute length field declared in the packet header and casts the payload to a fixed C struct without verifying that the declared length is large enough to contain that struct. When the declared length is shorter than the structure size, the parser reads and writes past the end of the per-leg media buffer, producing an out-of-bounds access on heap memory tied to the call leg.
RemediationAI
Vendor-released patch: upgrade to FreeSWITCH 1.11.0 (https://github.com/signalwire/freeswitch/releases/tag/v1.11.0), which the project flags as an important release containing critical security fixes; review the migration notes for breaking changes since 1.11.0 also switches the regex engine to PCRE2, removes roughly thirty legacy modules, and upgrades the Windows OpenSSL build to 3.x. Until upgrade is possible, restrict UDP reachability to the FreeSWITCH media ports (default RTP/ICE range and any configured STUN listeners) so only known SIP/WebRTC peers can send STUN traffic - typically by ACL'ing the media interface to trusted carrier and client subnets at the edge firewall - with the trade-off that this breaks NAT traversal for clients outside the allowlist and is not viable for public WebRTC services. Where edge filtering is impractical, place the instance behind a STUN-aware SBC or session border element that validates attribute lengths before forwarding, accepting the added latency and operational complexity. Refer to the GHSA-9j6h-hc95-q926 advisory for the authoritative fix metadata.
More in Freeswitch
View allFreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th
Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api
Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt
Same weakness CWE-20 – Improper Input Validation
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35470