Main Vulnerability Database Vulnerabilities #VU133319

Heap-based buffer overflow in freeswitch - CVE-2026-49840

Published: June 4, 2026

Vulnerability identifier: #VU133319

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-49840

CWE-ID: CWE-122

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: www.freeswitch.org

Affected software:
freeswitch

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service or corrupt heap memory.

The vulnerability exists due to a heap-based buffer overflow in libesl esl_recv_event() when parsing a crafted Content-Length header from an ESL peer. A remote attacker can send a specially crafted frame to cause a denial of service or corrupt heap memory.

The issue can be triggered before the client authenticates to the peer, and no credentials or prior interaction are required.

How to mitigate CVE-2026-49840

Install security update from vendor's website.

Sources

https://github.com/signalwire/freeswitch/security/advisories/GHSA-g597-9fgg-ghg9

Heap-based buffer overflow in freeswitch - CVE-2026-49840

Detailed vulnerability description

How to mitigate CVE-2026-49840

Sources

Please verify you're human