Skip to main content

FreeSWITCH EUVDEUVD-2026-35470

| CVE-2026-49475 HIGH
Improper Input Validation (CWE-20)
2026-06-09 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 18:02 EUVD
Source Code Evidence Fetched
Jun 09, 2026 - 16:46 vuln.today
Analysis Generated
Jun 09, 2026 - 16:46 vuln.today

DescriptionGitHub Advisory

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, a STUN packet whose declared attribute length is shorter than the structure the parser casts to causes the parser to read and write past the end of the attribute, producing an out-of-bounds memory access on the per-leg media buffer. This issue has been patched in version 1.11.0.

AnalysisAI

Out-of-bounds memory access in FreeSWITCH versions prior to 1.11.0 allows remote unauthenticated attackers to crash the telephony stack by sending a malformed STUN packet whose declared attribute length is smaller than the structure the parser casts it to. No public exploit has been identified at time of analysis, but the network-reachable nature of STUN on media-handling deployments makes this a denial-of-service risk for any exposed FreeSWITCH instance handling WebRTC or NAT-traversal traffic.

Technical ContextAI

FreeSWITCH is an open-source Software Defined Telecom Stack maintained by SignalWire (cpe:2.3:a:signalwire:freeswitch) that handles SIP, WebRTC, and media routing. STUN (Session Traversal Utilities for NAT, RFC 5389) is used to discover NAT mappings during ICE candidate negotiation for media sessions. The flaw maps to CWE-20 (Improper Input Validation): the STUN attribute parser trusts the attribute length field declared in the packet header and casts the payload to a fixed C struct without verifying that the declared length is large enough to contain that struct. When the declared length is shorter than the structure size, the parser reads and writes past the end of the per-leg media buffer, producing an out-of-bounds access on heap memory tied to the call leg.

RemediationAI

Vendor-released patch: upgrade to FreeSWITCH 1.11.0 (https://github.com/signalwire/freeswitch/releases/tag/v1.11.0), which the project flags as an important release containing critical security fixes; review the migration notes for breaking changes since 1.11.0 also switches the regex engine to PCRE2, removes roughly thirty legacy modules, and upgrades the Windows OpenSSL build to 3.x. Until upgrade is possible, restrict UDP reachability to the FreeSWITCH media ports (default RTP/ICE range and any configured STUN listeners) so only known SIP/WebRTC peers can send STUN traffic - typically by ACL'ing the media interface to trusted carrier and client subnets at the edge firewall - with the trade-off that this breaks NAT traversal for clients outside the allowlist and is not viable for public WebRTC services. Where edge filtering is impractical, place the instance behind a STUN-aware SBC or session border element that validates attribute lengths before forwarding, accepting the added latency and operational complexity. Refer to the GHSA-9j6h-hc95-q926 advisory for the authoritative fix metadata.

CVE-2019-19492 CRITICAL POC
9.8 Dec 02

FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th

CVE-2015-7392 HIGH POC
7.5 Oct 05

Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x

CVE-2021-41158 HIGH POC
7.5 Oct 26

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41145 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41105 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-37624 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-36513 HIGH POC
7.5 Oct 18

An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all

CVE-2018-19911 HIGH POC
7.5 Dec 06

FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api

CVE-2013-2238 MEDIUM POC
6.8 Sep 30

Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a

CVE-2023-40019 MEDIUM POC
6.5 Sep 15

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2023-51443 MEDIUM POC
5.9 Dec 27

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2026-49841 CRITICAL
9.8 Jun 09

Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt

Share

EUVD-2026-35470 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy