CVE-2026-49475 - Vulnerability Details

- FreeSWITCH: Out-of-bounds memory access in core STUN attribute parsing

Description

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, a STUN packet whose declared attribute length is shorter than the structure the parser casts to causes the parser to read and write past the end of the attribute, producing an out-of-bounds memory access on the per-leg media buffer. This issue has been patched in version 1.11.0.

Published: 2026-06-09

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A STUN packet whose declared attribute length is shorter than the parser’s expected structure causes the FreeSWITCH STUN parser to read and write beyond the buffer boundary, creating an out‑of‑bounds memory access on the per‑leg media buffer. This can lead to memory corruption, which in theory could allow an attacker to crash the service or to execute arbitrary code if the corrupted memory is leveraged for a control‑flow hijack. The CVE description does not confirm a proven remote code execution or denial‑of‑service exploit, but the nature of the vulnerability suggests such outcomes are possible.

Affected Systems

The vulnerability affects the SignalWire FreeSWITCH product. Any installation of FreeSWITCH older than version 1.11.0 is vulnerable. Version 1.11.0 and later contain the patch that addresses the STUN parsing issue, as released in the 1.11.0 release.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. No EPSS score is available, and the vulnerability is not listed in CISA's KEV catalog. Based on the description, the likely attack vector is remote network access to the STUN service, potentially requiring only the ability to send a crafted STUN packet. However, the exact exploitability, including authentication requirements or required network conditions, is not explicitly detailed, so these aspects are inferred from the known STUN behavior. Consequently, the risk remains significant for exposed deployments, but precise likelihood and attack surface details are uncertain.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

signalwire

freeswitch

affected

Version	Status	Constraints
`< 1.11.0`	affected	—

No data.

Vendor Product Confidence Versions

Signalwire

Freeswitch

100%

Version	Status	Scheme	Platform
`[0,1.11.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade FreeSWITCH to version 1.11.0 or later to apply the patch for the STUN parsing issue.
Restrict inbound STUN traffic using firewall rules to trusted IP ranges or administrative networks, limiting the attack surface.
Monitor FreeSWITCH logs and system metrics for abnormal STUN requests or memory errors following the upgrade.

Generated by OpenCVE AI on June 9, 2026 at 18:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/signalwire/freeswitch/releases/tag/v1.11.0
https://github.com/signalwire/freeswitch/security/advisories/GHSA-9j6h-hc95-q926

History

Tue, 09 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Signalwire Signalwire freeswitch
Vendors & Products		Signalwire Signalwire freeswitch

Tue, 09 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, a STUN packet whose declared attribute length is shorter than the structure the parser casts to causes the parser to read and write past the end of the attribute, producing an out-of-bounds memory access on the per-leg media buffer. This issue has been patched in version 1.11.0.
Title		FreeSWITCH: Out-of-bounds memory access in core STUN attribute parsing
Weaknesses		CWE-125 CWE-20 CWE-787
References		https://github.com/signalwire/freeswitch/releases/tag/v1.11.0 https://github.com/signalwire/freeswitch/security/advisories/GHSA-9j6h-hc95-q926
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Signalwire Freeswitch

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-09T16:00:32.931Z

Updated: 2026-06-09T20:19:56.191Z

Reserved: 2026-05-30T04:17:43.095Z

Link: CVE-2026-49475

Vulnrichment

Updated: 2026-06-09T20:19:52.953Z

NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:47.390

Modified: 2026-06-09T19:32:29.743

Link: CVE-2026-49475

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T18:15:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object