How is CVE-2026-10629 exploited?

Network reachability (required): The attacker must be on the network path between the UE (handset) and the IMS core, reachable over the radio access network or core transport, to intercept or inject SIP messages. Authentication (not-required): No credentials or account are required; the attack relies on passive monitoring or active injection of cleartext SIP traffic, not any authenticated session. Victim interaction (not-required): The victim does not need to click anything or take any action beyond initiating or receiving a VoLTE call. Attack complexity (info): Attack complexity is rated High, meaning the attacker must be precisely positioned on the network path (on-path or man-in-the-middle) and able to intercept or inject radio or core-network traffic, which requires deliberate setup rather than opportunistic access.

What is the impact of CVE-2026-10629?

Reads SIP INVITE, BYE, and REGISTER messages, exposing call metadata including caller and callee identities, timing, and session parameters. Modifies SIP message headers or bodies in transit, allowing call redirection, session hijacking, or spoofed call termination. Undermines the authenticity of VoLTE signaling, enabling an attacker to impersonate the IMS core or a legitimate endpoint to the device.

Back to search

HIGHCVE-2026-10629Published 2026-06-02Modified 2026-06-03CNA certcc

CVE-2026-10629: CVE-2026-10629

SIP signaling stack in Verizon IMS (unspecified version) implements SIP signaling without IPsec integrity protection (missing Security-Client/Security-Server headers and ESP traffic), which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via passive monitoring and active manipulation of unsecured SIP messages over the radio and core network.

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a missing cryptographic protection vulnerability in the SIP signaling stack of Verizon IMS, the component that handles call setup and teardown for VoLTE (Voice over LTE) calls. An attacker positioned on the network path between the device and the IMS core can passively monitor unencrypted SIP messages or actively modify them without authentication, because the stack omits the IPsec integrity headers (Security-Client and Security-Server) and Encapsulating Security Payload (ESP) traffic that the 3GPP standard requires. Successful exploitation gives the attacker read access to call signaling metadata and the ability to tamper with call setup, effectively compromising the confidentiality, integrity, and authenticity of VoLTE calls. No upstream fix version has been published; HarborGuard tracks the advisory and will surface a patched-image rebuild as soon as one becomes available.

HarborGuard Coverage

Detection

Detection for CVE-2026-10629 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle IMS or SIP stack components.

Available

Triage

HarborGuard scores this CVE at 7.4 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine priority and routing. Triage findings are delivered to the team inbox or ticketing integration configured for each customer org.

Available

Patch

Because no fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, compensating-control recommendations (see below) are surfaced through the standard findings workflow.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be on the network path between the UE (handset) and the IMS core, reachable over the radio access network or core transport, to intercept or inject SIP messages.
AuthenticationNot required
No credentials or account are required; the attack relies on passive monitoring or active injection of cleartext SIP traffic, not any authenticated session.
Victim interactionNot required
The victim does not need to click anything or take any action beyond initiating or receiving a VoLTE call.
Attack complexityDetail
Attack complexity is rated High, meaning the attacker must be precisely positioned on the network path (on-path or man-in-the-middle) and able to intercept or inject radio or core-network traffic, which requires deliberate setup rather than opportunistic access.

Blast Radius

Reads SIP INVITE, BYE, and REGISTER messages, exposing call metadata including caller and callee identities, timing, and session parameters.
Modifies SIP message headers or bodies in transit, allowing call redirection, session hijacking, or spoofed call termination.
Undermines the authenticity of VoLTE signaling, enabling an attacker to impersonate the IMS core or a legitimate endpoint to the device.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-10629 is tracked continuously with no published fix version as of the date of this record. HarborGuard re-checks the advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers who opt into auto-remediation, open a PR against affected workloads the moment an upstream fix is published. While no patch is available, HarborGuard surfaces compensating-control recommendations including network-policy isolation to restrict SIP signaling traffic to known IMS endpoints, egress filtering to block unexpected SIP flows from container workloads that embed IMS or SIP stack components, and feature-flag gating to disable affected signaling paths where the deployment architecture permits. Where compliance policy requires escalation for unpatched HIGH-severity CVEs, HarborGuard routes findings to the appropriate team inbox according to each environment's configured policy.

See how HarborGuard automates this

Affected packages

Verizon / VoLTE
UNKNOWN

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

3gpp.org

Metrics

Get notified