CVE Catalog

CVE-2026-49840

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.06%

19th percentile — higher than 19% of all known CVEs

Summary

In versions prior to 1.11.1, FreeSWITCH has a vulnerability in the esl_recv_event() function that does not validate the Content-Length value. A malicious user or man-in-the-middle attacker can send a frame with a negative Content-Length, potentially corrupting the heap or crashing the process.

Risk Assessment

This vulnerability could be exploited by an attacker to remotely compromise the system or cause it to crash, posing a serious threat to the stability and security of telecommunications services.

Recommendation

It is recommended to upgrade FreeSWITCH to version 1.11.1 or later to mitigate this vulnerability.

Original NVD description (English source)

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS