CVE-2026-49840 | THREATINT

Description

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.

PUBLISHED Reserved 2026-06-01 | Published 2026-06-09 | Updated 2026-06-09 | Assigner GitHub_M

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Problem types

CWE-20: Improper Input Validation

CWE-122: Heap-based Buffer Overflow

CWE-195: Signed to Unsigned Conversion Error

CWE-787: Out-of-bounds Write

Product status

< 1.11.1

affected

References

github.com/...switch/security/advisories/GHSA-g597-9fgg-ghg9

github.com/signalwire/freeswitch/releases/tag/v1.11.1

cve.org (CVE-2026-49840)

nvd.nist.gov (CVE-2026-49840)

Download JSON