FreeSWITCH: Pre-authentication heap buffer overflow in libesl `Content-Length` parsing

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Description

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.

AI Analysis

Pre-authentication heap buffer overflow in libesl `Content-Length` parsing

Basic Information

ID CVE-2026-49840

Source GitHub_M

Published Jun 9, 2026 at 16:00

Affected Product

Vendor signalwire

Product freeswitch

Version < 1.11.1

Affected Versions signalwire freeswitch < 1.11.1

CWE Classification

CWE-20 CWE-122 CWE-195 CWE-787

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor SignalWire

Product FreeSWITCH

Version < 1.11.1

References

{
    "lastseen": "",
    "description": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.",
    "published": "2026-06-09T16:00:56.687Z",
    "modified": "2026-06-09T16:00:56.687Z",
    "type": "cve",
    "title": "FreeSWITCH: Pre-authentication heap buffer overflow in libesl `Content-Length` parsing",
    "source": "GitHub_M",
    "references": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g597-9fgg-ghg9\nhttps://github.com/signalwire/freeswitch/releases/tag/v1.11.1",
    "id": "CVE-2026-49840",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20",
        "CWE-122",
        "CWE-195",
        "CWE-787"
    ],
    "cvelist": null,
    "sourceData": "signalwire freeswitch < 1.11.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "freeswitch",
    "version": "< 1.11.1",
    "vendor": "signalwire",
    "ai_description": "Pre-authentication heap buffer overflow in libesl `Content-Length` parsing",
    "ai_severity": "Critical",
    "ai_vendor": "SignalWire",
    "ai_product": "FreeSWITCH",
    "ai_version": "< 1.11.1",
    "ai_score": 9.1
}

FreeSWITCH: Pre-authentication heap buffer overflow in libesl `Content-Length` parsing_CVE-2026-49840