Description
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.
Published: 2026-06-09
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow is triggered in FreeSWITCH’s libesl component when parsing the Content-Length header. The parsing routine uses atol() to convert the header value to an integer and passes that value directly to malloc(len+1) without validating its sign or magnitude. If an attacker supplies a negative Content-Length value, the conversion leads to an extremely large unsigned size for the malloc call or an under-allocated buffer, corrupting the heap of the receiving process. The overflow occurs before an ESL peer has authenticated, allowing an attacker to exploit the flaw in the initial communication phase. This defect can lead to arbitrary code execution or denial of service by crashing the process.

Affected Systems

SignalWire FreeSWITCH software is affected. Versions released before 1.11.1 are vulnerable because the esl_recv_event() routine that parses the Content-Length header has not been patched. All deployments of FreeSWITCH that expose the ESL interface over the network and run a pre‑authentication version are at risk.

Risk and Exploitability

The flaw scores a 9.1 on the CVSS scale and is not yet listed in CISA’s KEV catalog. The EPSS score is currently unavailable, but the high impact score indicates the potential for widespread exploitation. The vulnerability can be abused by any party that can establish a connection to the ESL interface, sending a crafted frame with a negative Content-Length before the system authenticates the client. Since the flaw exists prior to authentication, it poses a significant risk to services that allow unauthenticated or poorly secured ESL connections. The lack of an official workaround suggests the primary mitigation is to apply the vendor’s patch immediately.

Generated by OpenCVE AI on June 9, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeSWITCH to version 1.11.1 or later, which contains the necessary fix for the Content-Length parsing bug.
  • Restrict access to the ESL port by limiting firewall rules to trusted hosts or networks, thereby preventing unauthenticated clients from reaching the vulnerable component.
  • Configure the ESL interface to require authentication (e.g., using SASL or TLS) before accepting any requests, reducing the window of opportunity for an attacker to exploit the pre‑authentication flaw.

Generated by OpenCVE AI on June 9, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Freeswitch
Freeswitch freeswitch
CPEs cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*
Vendors & Products Freeswitch
Freeswitch freeswitch

Tue, 09 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Signalwire
Signalwire freeswitch
Vendors & Products Signalwire
Signalwire freeswitch

Tue, 09 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.
Title FreeSWITCH: Pre-authentication heap buffer overflow in libesl `Content-Length` parsing
Weaknesses CWE-122
CWE-195
CWE-20
CWE-787
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Freeswitch Freeswitch
Signalwire Freeswitch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T17:00:21.313Z

Reserved: 2026-06-01T18:50:36.056Z

Link: CVE-2026-49840

cve-icon Vulnrichment

Updated: 2026-06-09T17:00:09.680Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:47.703

Modified: 2026-06-10T15:06:24.257

Link: CVE-2026-49840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T18:45:06Z

Weaknesses