Skip to main content

FreeSWITCH CVE-2026-49842

| EUVDEUVD-2026-35473 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-09 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 18:02 EUVD
Source Code Evidence Fetched
Jun 09, 2026 - 16:47 vuln.today
Analysis Generated
Jun 09, 2026 - 16:47 vuln.today

DescriptionGitHub Advisory

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's WebSocket frame loop intercepts a #-prefixed speed-test protocol (#SPU / #SPB / #SPE) before any authentication check. The declared payload size in #SPU was parsed with atoi() and only rejected non-positive values, so an unauthenticated peer could request up to INT_MAX bytes. The server then wrote roughly size * 10 bytes back during the download phase, on the order of 20 GB per request, yielding strong outbound bandwidth amplification from a short request. This issue has been patched in version 1.11.1.

AnalysisAI

Unauthenticated outbound bandwidth amplification in FreeSWITCH versions prior to 1.11.1 allows remote attackers to coerce the server into emitting roughly 20 GB of traffic per short request via the mod_verto WebSocket #SPU speed-test command. The pre-auth code path parses the requested payload size with atoi() and only rejects non-positive values, letting a peer ask for up to INT_MAX bytes and triggering a size*10 download. No public exploit is identified at time of analysis, but the high-severity CVSS (7.5, A:H) and trivial trigger make this a credible DDoS-as-a-service primitive.

Technical ContextAI

FreeSWITCH (Signalwire) is an open-source software-defined telecom switch; mod_verto is its WebSocket-based signaling module for the Verto WebRTC protocol. The flaw sits in mod_verto's WebSocket frame loop, which inspects incoming frames for a '#'-prefixed speed-test sub-protocol (#SPU upload, #SPB bidirectional, #SPE end) before invoking the authentication gate. Per CWE-400 (Uncontrolled Resource Consumption), the #SPU handler converts the attacker-supplied payload-size string using atoi() with only a non-positive-value guard, then the download phase writes approximately ten times that value back to the peer - a classic missing upper-bound check producing bandwidth amplification rather than memory exhaustion. The CPE identifies signalwire:freeswitch in all versions matching the wildcard up to but not including 1.11.1.

RemediationAI

Vendor-released patch: upgrade to FreeSWITCH 1.11.1 (https://github.com/signalwire/freeswitch/releases/tag/v1.11.1), which moves the #SPU/#SPB/#SPE speed-test handlers behind the authentication gate and is the authoritative fix per advisory GHSA-p3gx-p2w7-wp35. If immediate upgrade is not possible, restrict network exposure of the mod_verto WebSocket listener (commonly TCP 8081/8082) at the firewall to known WebRTC client networks, or unload mod_verto entirely via fs_cli 'unload mod_verto' if Verto signaling is unused - the trade-off is loss of all WebRTC/Verto-based call handling for that node. As a narrower mitigation, terminate the WebSocket behind a reverse proxy that enforces per-IP egress byte caps and request-rate limits so a single connection cannot draw 20 GB of response traffic; this preserves Verto functionality but adds proxy latency and an operational dependency. Do not rely on authentication on the upstream Verto user accounts as a control - the vulnerable code path runs before any password check.

CVE-2019-19492 CRITICAL POC
9.8 Dec 02

FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th

CVE-2015-7392 HIGH POC
7.5 Oct 05

Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x

CVE-2021-41158 HIGH POC
7.5 Oct 26

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41145 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41105 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-37624 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-36513 HIGH POC
7.5 Oct 18

An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all

CVE-2018-19911 HIGH POC
7.5 Dec 06

FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api

CVE-2013-2238 MEDIUM POC
6.8 Sep 30

Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a

CVE-2023-40019 MEDIUM POC
6.5 Sep 15

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2023-51443 MEDIUM POC
5.9 Dec 27

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2026-49841 CRITICAL
9.8 Jun 09

Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt

Share

CVE-2026-49842 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy