Skip to main content

FreeSWITCH EUVDEUVD-2026-35493

| CVE-2026-49847 HIGH
Uncontrolled Recursion (CWE-674)
2026-06-09 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 18:02 EUVD
Source Code Evidence Fetched
Jun 09, 2026 - 16:48 vuln.today
Analysis Generated
Jun 09, 2026 - 16:48 vuln.today

DescriptionGitHub Advisory

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes the FreeSWITCH process via stack overflow, terminating all calls and sessions on the host. The recursion drives the worker thread's stack pointer into the stack guard page, raising SIGSEGV from the kernel before any usable write primitive develops. This issue has been patched in version 1.11.1.

AnalysisAI

Denial of service in FreeSWITCH prior to version 1.11.1 allows remote unauthenticated attackers to crash the entire telephony process by sending a single WebSocket frame carrying a deeply nested JSON document. The recursive parsing exhausts the worker thread's stack and triggers SIGSEGV via the kernel stack guard page, terminating all active calls and sessions on the host. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the trivial network-reachable trigger and availability-only impact make it a credible service-disruption risk for exposed VoIP infrastructure.

Technical ContextAI

FreeSWITCH is an open-source Software Defined Telecom Stack maintained by SignalWire (CPE cpe:2.3:a:signalwire:freeswitch) that powers SIP, WebRTC, and Verto-based real-time communications on commodity hardware. The root cause is CWE-674 (Uncontrolled Recursion): the embedded cJSON parser used to decode WebSocket frames (typically via mod_verto, FreeSWITCH's WebRTC signaling module) recurses once per nested object/array level without a depth cap, so a maliciously crafted JSON document drives the parser's stack frames into the OS-reserved stack guard page. Because the fault is taken by the kernel before any controllable write primitive develops, the bug is limited to a crash - but a crash of the FreeSWITCH worker terminates every call and session on the host. The upstream fix in v1.11.1 caps cJSON parser nesting depth, as explicitly noted in the release changelog entry '[build] Cap cJSON parser nesting depth to prevent stack overflow.'

RemediationAI

Vendor-released patch: FreeSWITCH 1.11.1 - upgrade immediately, per the SignalWire advisory at https://github.com/signalwire/freeswitch/security/advisories/GHSA-2v74-pcgh-75wg and the release notes at https://github.com/signalwire/freeswitch/releases/tag/v1.11.1, which explicitly cap cJSON parser nesting depth to prevent the stack overflow. For environments that cannot upgrade immediately, restrict network reachability to the WebSocket signaling ports used by mod_verto (default TCP 8081/8082) to trusted client subnets or place them behind an authenticating reverse proxy or WAF that enforces a maximum JSON nesting depth and frame size on incoming WebSocket payloads - the trade-off is that legitimate WebRTC clients connecting from arbitrary networks will be blocked or require additional authentication infrastructure. If WebSocket/Verto signaling is not in use, disable mod_verto in modules.conf.xml to remove the attack surface entirely, accepting the loss of WebRTC signaling functionality. Monitor FreeSWITCH process supervisors and SIP/Verto session counts for sudden terminations as a detection signal until patching is complete.

CVE-2019-19492 CRITICAL POC
9.8 Dec 02

FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th

CVE-2015-7392 HIGH POC
7.5 Oct 05

Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x

CVE-2021-41158 HIGH POC
7.5 Oct 26

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41145 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41105 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-37624 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-36513 HIGH POC
7.5 Oct 18

An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all

CVE-2018-19911 HIGH POC
7.5 Dec 06

FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api

CVE-2013-2238 MEDIUM POC
6.8 Sep 30

Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a

CVE-2023-40019 MEDIUM POC
6.5 Sep 15

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2023-51443 MEDIUM POC
5.9 Dec 27

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2026-49841 CRITICAL
9.8 Jun 09

Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt

Share

EUVD-2026-35493 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy