Description
A flaw was found in SIPp. A remote attacker could exploit this by sending specially crafted Session Initiation Protocol (SIP) messages during an active call. This vulnerability, a NULL pointer dereference, can cause the application to crash, leading to a denial of service. Under specific conditions, it may also allow an attacker to execute unauthorized code, compromising the system's integrity and availability.
Published: 2026-01-23
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service with potential remote code execution
Action: Patch ASAP
AI Analysis

Impact

SIPp contains a NULL pointer dereference that occurs when it processes specially crafted SIP messages on an active call. The vulnerability can cause the program to crash, resulting in a denial of service. Under certain, unspecified conditions the flaw may also allow an attacker to execute unauthorized code, compromising both system integrity and availability.

Affected Systems

The affected product is SIPp. No specific vendor or version information is provided in the CVE, so all deployments of SIPp are potentially impacted until a patch is applied.

Risk and Exploitability

The CVSS score of 8.4 classifies this issue as high severity. The EPSS score is less than 1%, indicating that exploitation is currently unlikely but not impossible. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widely available exploit. The attack vector is inferred to be remote and requires an attacker to send malicious SIP traffic to an exposed SIPp instance during an ongoing call.

Generated by OpenCVE AI on April 18, 2026 at 03:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SIPp to the latest patched version that addresses the NULL pointer dereference.
  • Configure network firewalls to limit SIP traffic to trusted IPs only, blocking any unsolicited SIP packets.
  • Enable verbose logging for SIP message parsing and monitor for abnormal or malformed SIP requests, escalating on repeated failures.

Generated by OpenCVE AI on April 18, 2026 at 03:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Sipp
Sipp sipp
Vendors & Products Sipp
Sipp sipp

Fri, 23 Jan 2026 04:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in SIPp. A remote attacker could exploit this by sending specially crafted Session Initiation Protocol (SIP) messages during an active call. This vulnerability, a NULL pointer dereference, can cause the application to crash, leading to a denial of service. Under specific conditions, it may also allow an attacker to execute unauthorized code, compromising the system's integrity and availability.
Title Sipp/sipp: sipp: denial of service and potential arbitrary code execution vulnerability
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Sipp Sipp
cve-icon MITRE

Status: PUBLISHED

Assigner: fedora

Published:

Updated: 2026-01-23T19:04:04.032Z

Reserved: 2026-01-08T06:21:31.656Z

Link: CVE-2026-0710

cve-icon Vulnrichment

Updated: 2026-01-23T19:03:59.456Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T04:16:01.860

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0710

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:15:35Z

Weaknesses