Description
Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.1.1, 6.0.6, and 5.8.8, an out-of-bounds access in the core of Kamailio (formerly OpenSER and SER) allows remote attackers to cause a denial of service (process crash) via a specially crafted data packet sent over TCP. The issue impacts Kamailio instances having TCP or TLS listeners. This vulnerability is fixed in 5.1.1, 6.0.6, and 5.8.8.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

The Kamailio SIP server core contains an out-of-bounds memory access that allows remote attackers to trigger a process crash by sending a specially crafted packet over TCP or TLS. This flaw, classified as a buffer overflow (CWE-119), results in a denial of service that removes the instance from service and disrupts SIP signaling for all connected clients.

Affected Systems

Kamailio installations running any version older than 6.1.1, 6.0.6, or 5.8.8 are vulnerable, provided the server has a TCP or TLS listener enabled. The vulnerability was fixed in releases 5.1.1, 6.0.6, and 5.8.8; therefore any newer build that incorporates these updates is not affected.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high severity denial-of-service flaw. EPSS data is not available, and the issue does not appear in CISA’s KEV catalog, implying no publicly known exploitation. Based on the description, it is inferred that an attacker needs only network connectivity to the exposed TCP/TLS port to send the malformed packet and trigger the crash.

Generated by OpenCVE AI on April 8, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kamailio to version 5.1.1, 6.0.6, 5.8.8, or any later release that includes the patch for the out-of-bounds access.
  • Verify that all active TCP or TLS listeners are running the updated binaries and that no legacy configurations or older binaries remain in use.
  • If an upgrade cannot be performed immediately, temporarily block inbound traffic on the TCP/TLS ports that the Kamailio instance listens on until a patched version is deployed.

Generated by OpenCVE AI on April 8, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Kamailio
Kamailio kamailio
Vendors & Products Kamailio
Kamailio kamailio

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.1.1, 6.0.6, and 5.8.8, an out-of-bounds access in the core of Kamailio (formerly OpenSER and SER) allows remote attackers to cause a denial of service (process crash) via a specially crafted data packet sent over TCP. The issue impacts Kamailio instances having TCP or TLS listeners. This vulnerability is fixed in 5.1.1, 6.0.6, and 5.8.8.
Title Kamailio Core: TCP Data Processing Vulnerability
Weaknesses CWE-119
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Kamailio Kamailio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T13:52:38.030Z

Reserved: 2026-04-07T19:13:20.379Z

Link: CVE-2026-39863

cve-icon Vulnrichment

Updated: 2026-04-09T13:52:34.946Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T20:16:26.550

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:32Z

Weaknesses