SB2026060412 - Multiple vulnerabilities in freeswitch
Published: June 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Improper Authentication (CVE-ID: CVE-2026-49848)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to influence call-side variables.
The vulnerability exists due to improper authentication in mod_verto check_auth userauth branch when handling authentication attempts on the same WebSocket connection. A remote user can submit crafted userVariables during failed login attempts and then authenticate successfully on the same connection to influence call-side variables.
Only mod_verto profiles with userauth enabled are vulnerable, and the injected values take effect only after authentication succeeds on the same WebSocket session.
2) Uncontrolled Recursion (CVE-ID: CVE-2026-49847)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled recursion in the bundled cJSON parser in mod_verto when parsing deeply nested JSON in a WebSocket frame before authentication. A remote attacker can send a specially crafted WebSocket frame to cause a denial of service.
Any peer that can reach the WebSocket listener can trigger the issue without authentication or user interaction.
3) Improper Authentication (CVE-ID: CVE-2026-49843)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper authentication in mod_verto JSON-RPC handler when processing the first JSON-RPC frame with a client-supplied sessid. A remote attacker can send a specially crafted request using a known target session UUID to cause a denial of service.
Exploitation requires network reachability to the verto WebSocket listener and prior knowledge of the target session UUID obtained through a side channel. The issue does not allow credential bypass or victim-session takeover.
4) Resource exhaustion (CVE-ID: CVE-2026-49842)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the mod_verto WebSocket frame loop when processing #SPU / #SPB / #SPE speed-test frames before authentication. A remote attacker can send a specially crafted WebSocket request with a large declared payload size to cause a denial of service.
The issue is reachable before the JSON-RPC dispatcher and authentication gate, and no user interaction is required.
5) Heap-based buffer overflow (CVE-ID: CVE-2026-49841)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service and potentially disclose sensitive information.
The vulnerability exists due to a heap-based buffer overflow in the mod_verto HTTP request handler when processing a crafted POST application/x-www-form-urlencoded body. A remote attacker can send a specially crafted HTTP request with an oversized Content-Length value to cause a denial of service and potentially disclose sensitive information.
The issue is reachable before the HTTP basic-auth check runs and affects only verto profiles with at least one vhost configured.
6) Heap-based buffer overflow (CVE-ID: CVE-2026-49840)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service or corrupt heap memory.
The vulnerability exists due to a heap-based buffer overflow in libesl esl_recv_event() when parsing a crafted Content-Length header from an ESL peer. A remote attacker can send a specially crafted frame to cause a denial of service or corrupt heap memory.
The issue can be triggered before the client authenticates to the peer, and no credentials or prior interaction are required.
Remediation
Install update from vendor's website.
References
- https://github.com/signalwire/freeswitch/security/advisories/GHSA-j38x-xm7f-9p2f
- https://github.com/signalwire/freeswitch/security/advisories/GHSA-2v74-pcgh-75wg
- https://github.com/signalwire/freeswitch/security/advisories/GHSA-9457-fxr9-x78m
- https://github.com/signalwire/freeswitch/security/advisories/GHSA-p3gx-p2w7-wp35
- https://github.com/signalwire/freeswitch/security/advisories/GHSA-wfrq-qvg2-f88f
- https://github.com/signalwire/freeswitch/security/advisories/GHSA-g597-9fgg-ghg9