Description
Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.0.5 and 5.8.7, an out-of-bounds read in the auth module of Kamailio (formerly OpenSER and SER) allows remote attackers to cause a denial of service (process crash) via a specially crafted SIP packet if a successful user authentication without a database backend is followed by additional user identity checks. This vulnerability is fixed in 6.0.5 and 5.8.7.
Published: 2026-04-08
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

An out‑of‑bounds read in the auth module of Kamailio allows an attacker to force the SIP server to crash. The flaw becomes exploitable when a user authenticates successfully without a database backend and then additional identity checks are performed. The result is a process crash that leads to a denial of service. This issue is a classic out‑of‑bounds read problem, classified under CWE‑125.

Affected Systems

The vulnerability affects Kamailio versions earlier than 6.0.5 and 5.8.7. The affected component is the auth module of the SIP signaling server. Systems running Kamailio 6.x prior to 6.0.5 or 5.x before 5.8.7 are at risk, regardless of the deployment environment.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity. EPSS information is not available, so the exploitation probability is unclear. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation at this time. The likely attack vector is a remote attacker sending a specially crafted SIP packet after a successful authentication, though the description does not explicitly state the network context, it is inferred that the attack requires remote network access to the Kamailio server.

Generated by OpenCVE AI on April 8, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kamailio to at least version 6.0.5 or 5.8.7 to eliminate the out‑of‑bounds read.
  • Ensure that authentication is configured to use a database backend, or verify that additional identity checks are not performed after a successful login if no backend is used.
  • If an immediate upgrade is not possible, isolate the Kamailio server from untrusted networks and monitor for abnormal SIP traffic, applying firewall rules to drop suspicious packets until the patch is applied.

Generated by OpenCVE AI on April 8, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Kamailio
Kamailio kamailio
Vendors & Products Kamailio
Kamailio kamailio

Wed, 08 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.0.5 and 5.8.7, an out-of-bounds read in the auth module of Kamailio (formerly OpenSER and SER) allows remote attackers to cause a denial of service (process crash) via a specially crafted SIP packet if a successful user authentication without a database backend is followed by additional user identity checks. This vulnerability is fixed in 6.0.5 and 5.8.7.
Title Kamailio Auth: Processing Vulnerability For Additional Authenticated User Identity Checks
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Kamailio Kamailio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T20:19:53.226Z

Reserved: 2026-04-07T19:13:20.379Z

Link: CVE-2026-39864

cve-icon Vulnrichment

Updated: 2026-04-08T20:19:37.794Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T20:16:26.700

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39864

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:31Z

Weaknesses