Skip to main content

FreeSWITCH CVE-2026-49840

| EUVDEUVD-2026-35471 CRITICAL
Improper Input Validation (CWE-20)
2026-06-09 GitHub_M
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 18:02 EUVD
Source Code Evidence Fetched
Jun 09, 2026 - 16:46 vuln.today
Analysis Generated
Jun 09, 2026 - 16:46 vuln.today

DescriptionGitHub Advisory

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.

AnalysisAI

Heap corruption in FreeSWITCH libesl prior to version 1.11.1 allows a malicious or man-in-the-middle Event Socket Library (ESL) peer to crash or corrupt the memory of any process linked against libesl by sending a frame containing a negative Content-Length header. The flaw is pre-authentication and reachable before the client completes authentication to the peer, and no public exploit identified at time of analysis despite a CVSS of 9.1.

Technical ContextAI

FreeSWITCH is an open-source Software Defined Telecom Stack from SignalWire used to build VoIP, PBX, and real-time communications platforms. The vulnerability resides in libesl, the client library implementing the FreeSWITCH Event Socket Layer (ESL) protocol used to send commands and receive events from a FreeSWITCH server. Specifically, esl_recv_event() reads the Content-Length header from an inbound ESL frame, converts it with atol() (which returns a signed long), and passes the result directly to malloc(len + 1) without sign or magnitude validation. This is a textbook CWE-20 Improper Input Validation: a negative value bypasses any implicit bounds expectation and, after the +1 arithmetic, is reinterpreted as a huge size_t by malloc, producing allocation failure or undersized buffers that subsequent reads overflow, corrupting the heap of the client process.

RemediationAI

The primary fix is to upgrade to vendor-released patch FreeSWITCH 1.11.1, available at https://github.com/signalwire/freeswitch/releases/tag/v1.11.1, which adds Content-Length validation in esl_recv_event per the 'libesl: Validate Content-Length in esl_recv_event' entry in the release notes; the security advisory is at https://github.com/signalwire/freeswitch/security/advisories/GHSA-g597-9fgg-ghg9. Operators who cannot immediately upgrade should restrict outbound ESL connections from libesl-linked clients to known, trusted FreeSWITCH servers only, ideally over a private management network or mutually authenticated TLS tunnel, since the trade-off is that any path that allows a MITM or rogue ESL peer between client and server is sufficient to trigger the bug regardless of FreeSWITCH-level authentication. Network-layer compensating controls include firewalling the ESL port (default TCP 8021) so that libesl-linked clients can only reach vetted endpoints, accepting the side effect that legitimate cross-network ESL automation will need to be re-routed.

CVE-2019-19492 CRITICAL POC
9.8 Dec 02

FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th

CVE-2015-7392 HIGH POC
7.5 Oct 05

Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x

CVE-2021-41158 HIGH POC
7.5 Oct 26

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41145 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41105 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-37624 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-36513 HIGH POC
7.5 Oct 18

An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all

CVE-2018-19911 HIGH POC
7.5 Dec 06

FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api

CVE-2013-2238 MEDIUM POC
6.8 Sep 30

Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a

CVE-2023-40019 MEDIUM POC
6.5 Sep 15

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2023-51443 MEDIUM POC
5.9 Dec 27

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2026-49841 CRITICAL
9.8 Jun 09

Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt

Share

CVE-2026-49840 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy