SB2026051551 - Multiple vulnerabilities in freeswitch



SB2026051551 - Multiple vulnerabilities in freeswitch

Published: May 15, 2026 Updated: June 4, 2026

Security Bulletin ID SB2026051551
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) XML Entity Expansion (CVE-ID: CVE-2026-45771)

CWE-ID: CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper restriction of recursive entity references in DTDs in the core XML parser when parsing the PIDF body of a SIP PUBLISH request. A remote attacker can send a specially crafted SIP PUBLISH request containing nested XML entity declarations to cause a denial of service.

Only SIP profiles with manage-presence enabled are vulnerable, and the PIDF body is parsed before any registration, ACL, or digest check.


2) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-49472)

CWE-ID: CWE-116 - Improper Encoding or Escaping of Output

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to memory corruption in PREFIX(prologTok)() in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c when parsing XML input. A remote user can send specially crafted XML data to cause a denial of service.

The affected function was cloned from an outdated libexpat codebase and may be exploitable in a manner similar to the original upstream issue.


3) Out-of-bounds read (CVE-ID: CVE-2026-49475)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read and out-of-bounds write in switch_stun_packet_parse() when parsing crafted STUN attributes on an ICE-enabled call leg. A remote attacker can send a specially crafted UDP datagram to cause a denial of service.

STUN parsing occurs before the STUN message integrity check, and no ICE password or prior interaction with the call is required.


Remediation

Install update from vendor's website.