SB2026051551 - Multiple vulnerabilities in freeswitch
Published: May 15, 2026 Updated: June 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) XML Entity Expansion (CVE-ID: CVE-2026-45771)
CWE-ID: CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper restriction of recursive entity references in DTDs in the core XML parser when parsing the PIDF body of a SIP PUBLISH request. A remote attacker can send a specially crafted SIP PUBLISH request containing nested XML entity declarations to cause a denial of service.
Only SIP profiles with manage-presence enabled are vulnerable, and the PIDF body is parsed before any registration, ACL, or digest check.
2) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-49472)
CWE-ID: CWE-116 - Improper Encoding or Escaping of Output
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to memory corruption in PREFIX(prologTok)() in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c when parsing XML input. A remote user can send specially crafted XML data to cause a denial of service.
The affected function was cloned from an outdated libexpat codebase and may be exploitable in a manner similar to the original upstream issue.
3) Out-of-bounds read (CVE-ID: CVE-2026-49475)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read and out-of-bounds write in switch_stun_packet_parse() when parsing crafted STUN attributes on an ICE-enabled call leg. A remote attacker can send a specially crafted UDP datagram to cause a denial of service.
STUN parsing occurs before the STUN message integrity check, and no ICE password or prior interaction with the call is required.
Remediation
Install update from vendor's website.
References
- https://github.com/signalwire/freeswitch/security/advisories/GHSA-5vjg-pv56-vg4c
- https://github.com/signalwire/freeswitch/security/advisories/GHSA-4jm3-xpcm-mwwq
- https://github.com/libexpat/libexpat/commit/3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6
- https://github.com/signalwire/freeswitch/security/advisories/GHSA-9j6h-hc95-q926