Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.
AnalysisAI
Heap corruption in FreeSWITCH libesl prior to version 1.11.1 allows a malicious or man-in-the-middle Event Socket Library (ESL) peer to crash or corrupt the memory of any process linked against libesl by sending a frame containing a negative Content-Length header. The flaw is pre-authentication and reachable before the client completes authentication to the peer, and no public exploit identified at time of analysis despite a CVSS of 9.1.
Technical ContextAI
FreeSWITCH is an open-source Software Defined Telecom Stack from SignalWire used to build VoIP, PBX, and real-time communications platforms. The vulnerability resides in libesl, the client library implementing the FreeSWITCH Event Socket Layer (ESL) protocol used to send commands and receive events from a FreeSWITCH server. Specifically, esl_recv_event() reads the Content-Length header from an inbound ESL frame, converts it with atol() (which returns a signed long), and passes the result directly to malloc(len + 1) without sign or magnitude validation. This is a textbook CWE-20 Improper Input Validation: a negative value bypasses any implicit bounds expectation and, after the +1 arithmetic, is reinterpreted as a huge size_t by malloc, producing allocation failure or undersized buffers that subsequent reads overflow, corrupting the heap of the client process.
RemediationAI
The primary fix is to upgrade to vendor-released patch FreeSWITCH 1.11.1, available at https://github.com/signalwire/freeswitch/releases/tag/v1.11.1, which adds Content-Length validation in esl_recv_event per the 'libesl: Validate Content-Length in esl_recv_event' entry in the release notes; the security advisory is at https://github.com/signalwire/freeswitch/security/advisories/GHSA-g597-9fgg-ghg9. Operators who cannot immediately upgrade should restrict outbound ESL connections from libesl-linked clients to known, trusted FreeSWITCH servers only, ideally over a private management network or mutually authenticated TLS tunnel, since the trade-off is that any path that allows a MITM or rogue ESL peer between client and server is sufficient to trigger the bug regardless of FreeSWITCH-level authentication. Network-layer compensating controls include firewalling the ESL port (default TCP 8021) so that libesl-linked clients can only reach vetted endpoints, accepting the side effect that legitimate cross-network ESL automation will need to be re-routed.
More in Freeswitch
View allFreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th
Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api
Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35471