Skip to main content

FreeSWITCH CVE-2026-49841

| EUVDEUVD-2026-35472 CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-06-09 GitHub_M
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 18:02 EUVD
Source Code Evidence Fetched
Jun 09, 2026 - 16:47 vuln.today
Analysis Generated
Jun 09, 2026 - 16:47 vuln.today

DescriptionGitHub Advisory

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, the mod_verto HTTP request handler allocates a fixed 2 MiB buffer for a POST application/x-www-form-urlencoded body but accepts Content-Length up to just under 10 MiB. The body-read loop is bounded by Content-Length rather than the buffer size, producing an attacker-controlled heap overflow of up to ~8 MiB -- before the HTTP basic-auth check runs. This issue has been patched in version 1.11.1.

AnalysisAI

Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt up to ~8 MiB of heap memory by sending a crafted HTTP POST request with an oversized Content-Length header. The flaw is triggered before HTTP basic-auth validation runs, enabling pre-authentication exploitation against any exposed mod_verto HTTP endpoint, with CVSS 9.8 reflecting potential for remote code execution; no public exploit identified at time of analysis.

Technical ContextAI

FreeSWITCH is an open-source software-defined telecom stack maintained by SignalWire (per the cpe:2.3:a:signalwire:freeswitch CPE). The vulnerability lives in mod_verto, the WebSocket/HTTP module that powers Verto signaling for WebRTC clients. Specifically, the HTTP POST handler for application/x-www-form-urlencoded bodies allocates a fixed 2 MiB heap buffer, but the body-read loop is bounded by the attacker-supplied Content-Length header (accepted up to just under 10 MiB) rather than the destination buffer's size. This is a classic CWE-122 heap-based buffer overflow caused by a length-check mismatch between allocation and copy, and critically the overflow occurs before HTTP basic authentication is enforced, making the vulnerable code path reachable by anonymous attackers.

RemediationAI

Vendor-released patch: upgrade FreeSWITCH to version 1.11.1 or later, which contains the 'mod_verto: Fix heap overflow in HTTP POST body read' fix listed in the v1.11.1 release notes at https://github.com/signalwire/freeswitch/releases/tag/v1.11.1; the GHSA-wfrq-qvg2-f88f advisory provides the coordinated disclosure details. Operators who cannot upgrade immediately should restrict network exposure of the mod_verto HTTP listener - bind it only to trusted interfaces, place it behind a reverse proxy or WAF that enforces a maximum Content-Length well under 2 MiB on POST application/x-www-form-urlencoded requests to Verto endpoints, or disable mod_verto entirely if WebRTC/Verto signaling is unused (trade-off: WebRTC clients will lose connectivity). Network ACLs limiting source IPs to known SIP/WebRTC clients reduce exposure but do not eliminate risk from compromised internal hosts.

CVE-2019-19492 CRITICAL POC
9.8 Dec 02

FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th

CVE-2015-7392 HIGH POC
7.5 Oct 05

Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x

CVE-2021-41158 HIGH POC
7.5 Oct 26

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41145 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41105 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-37624 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-36513 HIGH POC
7.5 Oct 18

An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all

CVE-2018-19911 HIGH POC
7.5 Dec 06

FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api

CVE-2013-2238 MEDIUM POC
6.8 Sep 30

Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a

CVE-2023-40019 MEDIUM POC
6.5 Sep 15

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2023-51443 MEDIUM POC
5.9 Dec 27

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41157 MEDIUM POC
5.3 Oct 26

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

Share

CVE-2026-49841 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy