Description
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, the mod_verto HTTP request handler allocates a fixed 2 MiB buffer for a POST application/x-www-form-urlencoded body but accepts Content-Length up to just under 10 MiB. The body-read loop is bounded by Content-Length rather than the buffer size, producing an attacker-controlled heap overflow of up to ~8 MiB -- before the HTTP basic-auth check runs. This issue has been patched in version 1.11.1.
Published: 2026-06-09
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A pre‑authentication heap buffer overflow exists in FreeSWITCH's mod_verto module. The module allocates a fixed 2 MiB buffer for a POST body yet accepts Content‑Length values up to nearly 10 MiB. The read loop is bounded by the declared length, allowing an attacker to send a body that overflows the buffer by up to approximately 8 MiB before the HTTP basic‑auth check executes. The flaw corresponds to CWE‑122 and CWE‑131 and can lead to memory corruption, denial of service, and potentially remote code execution if the attacker can inject payloads that trigger execution during the overflow.

Affected Systems

Affected systems include all FreeSWITCH deployments from signalwire running a version prior to 1.11.1, which is identified as the last patched hit. The vulnerability is present in every build before that release and was addressed by increasing the buffer to match the maximum Content‑Length or by validating length before allocation.

Risk and Exploitability

The CVSS score is 9.8, indicating critical severity, and the vulnerability is not listed in KEV and its EPSS is not available, so the current estimated exploitation probability is unknown but mitigated when the preceding authentication is not reached. Attackers can exploit the flaw via an HTTP POST to the mod_verto endpoint, sending a large payload that forces the buffer overflow. Because the vulnerability triggers before authentication, the exploit does not require credentials, making it readily exploitable by any remote host that can reach the service.

Generated by OpenCVE AI on June 9, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FreeSWITCH 1.11.1 or later where the buffer size matches the maximum Content‑Length and the overflow is prevented.
  • If an upgrade is not immediately possible, block or restrict access to the mod_verto HTTP endpoint on the network perimeter so that only trusted hosts can reach it.
  • Disable the mod_verto module altogether if the application does not require its functionality, thereby removing the vulnerable code path.
  • Apply a firewall rule or HTTP layer filter that rejects POST requests whose body length exceeds 2 MiB before they reach the application.

Generated by OpenCVE AI on June 9, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Signalwire
Signalwire freeswitch
Vendors & Products Signalwire
Signalwire freeswitch

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, the mod_verto HTTP request handler allocates a fixed 2 MiB buffer for a POST application/x-www-form-urlencoded body but accepts Content-Length up to just under 10 MiB. The body-read loop is bounded by Content-Length rather than the buffer size, producing an attacker-controlled heap overflow of up to ~8 MiB -- before the HTTP basic-auth check runs. This issue has been patched in version 1.11.1.
Title FreeSWITCH: Pre-authentication heap buffer overflow in `mod_verto` HTTP POST body read
Weaknesses CWE-122
CWE-131
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Signalwire Freeswitch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T18:25:15.498Z

Reserved: 2026-06-01T18:50:36.057Z

Link: CVE-2026-49841

cve-icon Vulnrichment

Updated: 2026-06-09T18:25:11.951Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:47.870

Modified: 2026-06-09T19:32:29.743

Link: CVE-2026-49841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T17:45:10Z

Weaknesses