HIGHCVE-2026-39863Published 2026-04-08Modified 2026-04-09CNA GitHub_M

CVE-2026-39863: Kamailio Core: TCP Data Processing Vulnerability

Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.1.1, 6.0.6, and 5.8.8, an out-of-bounds access in the core of Kamailio (formerly OpenSER and SER) allows remote attackers to cause a denial of service (process crash) via a specially crafted data packet sent over TCP. The issue impacts Kamailio instances having TCP or TLS listeners. This vulnerability is fixed in 5.1.1, 6.0.6, and 5.8.8.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

kamailio / kamailio
< 5.8.8 · >= 6.0.0, < 6.0.6 · >= 6.1.0, < 6.1.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/kamailio/kamailio/security/advisories/GHSA-2wj4-f825-2h2f

Metrics