HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45771Published Modified CNA GitHub_M

CVE-2026-45771: Freeswitch Denial-of-Service in SIP PUBLISH Requests via XML Entity Expansion

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH's bundled XML parser expands nested <!ENTITY> declarations without a depth or count bound, so a small DTD can describe a body that expands exponentially ("billion laughs"). The PIDF body of a SIP PUBLISH is fed to this parser before any digest check, letting an unauthenticated network attacker force unbounded CPU and memory consumption with a single request. This issue has been patched in version 1.11.0.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an XML Entity Expansion (also known as a billion-laughs) denial-of-service vulnerability in FreeSWITCH, the open-source software-defined telecom stack. A remote, unauthenticated attacker can send a single crafted SIP PUBLISH request containing a malicious DTD payload that causes the XML parser to expand nested entity declarations without bound, consuming all available CPU and memory. Successful exploitation crashes or hangs the FreeSWITCH process, taking the affected telephony service offline. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-45771 is available across every HarborGuard environment, with the CVE matched against customer images (including custom-built FreeSWITCH images) within minutes of ingestion from upstream advisory feeds. Any image found to include a FreeSWITCH installation prior to the fixed version will be flagged automatically in the relevant registry and pipeline scan.

Available
Triage

HarborGuard surfaces this finding with its CVSS 7.5 HIGH score and applies per-environment compliance policy weighting to prioritize it appropriately within each customer organization's workflow. Routed findings are delivered to the inbox or ticketing integration configured for the affected environment, so the right team receives the alert without manual triage overhead.

Available
Patch

Because no upstream fix version has been published for CVE-2026-45771, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment FreeSWITCH 1.11.0 or a subsequent fix release appears upstream. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated automatically once a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the FreeSWITCH SIP listener over the network; no prior foothold on the host is needed.

  • AuthenticationNot required

    The vulnerable XML parser processes the PIDF body of a SIP PUBLISH before any digest authentication check, so no credentials are required.

  • Victim interactionNot required

    The attacker sends a single crafted request with no need for any user or administrator to interact with it.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; crafting a valid billion-laughs DTD payload requires no special timing, memory layout knowledge, or environmental dependencies.

Blast Radius

  • The FreeSWITCH process consumes all available CPU cycles attempting to expand the recursive entity tree, rendering call processing unresponsive.
  • Unbounded memory allocation causes the host to exhaust RAM and potentially swap, which can destabilize other co-located services or containers on the same node.
  • All active SIP sessions handled by the affected FreeSWITCH instance are dropped, interrupting in-progress voice and video calls.
  • The service remains unavailable until the process is killed and restarted, giving the attacker a persistent denial-of-service window with repeated single-packet requests.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-45771 is tracked continuously against every scanned image that packages FreeSWITCH below version 1.11.0. Because no upstream fix has shipped, HarborGuard monitors the advisory on each ingest cycle and will trigger patched-image rebuilds the moment a fix version is confirmed; for customers with auto-remediation enabled, that means a rebuilt image, a regression-test run, and a PR opened against affected workloads with no manual intervention required. In the interim, compensating controls available within HarborGuard policy include flagging any image exposing the FreeSWITCH SIP port externally, enforcing network-policy isolation rules that restrict inbound SIP PUBLISH traffic to trusted source ranges, and applying egress filtering to limit lateral blast radius on the host. Customers can also use feature-flag or runtime-policy gates to block deployment of affected FreeSWITCH images to production until the patched rebuild is available.

See how HarborGuard automates this
Affected packages
  • signalwire / freeswitch
    < 1.11.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References