How is CVE-2026-49475 exploited?

Network reachability (required): The STUN parser is exposed over the network; an attacker must be able to send UDP or TCP STUN packets to the FreeSWITCH media port to trigger the vulnerability. Authentication (not-required): No credentials or session are required; the malformed STUN packet is processed before any authentication check. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user or administrator of the affected system. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental prerequisites beyond network access.

What is the impact of CVE-2026-49475?

The FreeSWITCH process crashes, dropping all active calls and media sessions on the affected node. All in-progress call legs handled by the affected instance are terminated immediately, disrupting real-time voice and video traffic. Service remains unavailable until the process is restarted, and repeated exploitation can prevent recovery if the attacker continues sending malformed packets.

Back to search

HIGHCVE-2026-49475Published 2026-06-09Modified 2026-06-09CNA GitHub_M

CVE-2026-49475: FreeSWITCH: Out-of-bounds memory access in core STUN attribute parsing

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, a STUN packet whose declared attribute length is shorter than the structure the parser casts to causes the parser to read and write past the end of the attribute, producing an out-of-bounds memory access on the per-leg media buffer. This issue has been patched in version 1.11.0.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Out-of-bounds memory access in FreeSWITCH's core STUN attribute parser allows a remote, unauthenticated attacker to crash the affected service by sending a crafted STUN packet with a deliberately undersized attribute length field. The parser casts the attribute to a larger structure and reads and writes past the end of the per-leg media buffer, triggering memory corruption. Successful exploitation causes a denial of service against the FreeSWITCH process. Note: the CVE description states a fix exists in version 1.11.0, but no fix version has been formally published in the advisory record; HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available as soon as a fix version is confirmed.

HarborGuard Coverage

Detection

Detection for CVE-2026-49475 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (NVD, GitHub Advisory Database, and CNA feeds) within minutes of publication and matched against all customer images, including custom-built FreeSWITCH images in private registries and CI pipelines.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Alerts are directed to the team or inbox configured within each customer organization for network-reachable, unauthenticated, high-severity findings.

Available

Patch

Because no fix version has been formally published in the advisory record, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment a confirmed fix version appears. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The STUN parser is exposed over the network; an attacker must be able to send UDP or TCP STUN packets to the FreeSWITCH media port to trigger the vulnerability.
AuthenticationNot required
No credentials or session are required; the malformed STUN packet is processed before any authentication check.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user or administrator of the affected system.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental prerequisites beyond network access.

Blast Radius

The FreeSWITCH process crashes, dropping all active calls and media sessions on the affected node.
All in-progress call legs handled by the affected instance are terminated immediately, disrupting real-time voice and video traffic.
Service remains unavailable until the process is restarted, and repeated exploitation can prevent recovery if the attacker continues sending malformed packets.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49475 is active across all environments scanning images that include FreeSWITCH. Because no fix version has been formally confirmed in the advisory record at this time, no patched-image rebuild can yet be generated. HarborGuard monitors the upstream advisory on every ingest cycle; the moment a fix version is confirmed, a rebuilt image becomes available and, for customers with auto-remediation enabled, a rebuild plus regression run and PR against affected workloads will be triggered automatically. In the interim, compensating controls available through network policy include isolating FreeSWITCH media ports (typically UDP 16384-32768 and the STUN port) behind a network policy that restricts STUN traffic to trusted peers only, applying egress filtering to limit lateral reach in the event of process compromise, and where operationally feasible, disabling ICE or STUN negotiation via FreeSWITCH's sofia profile configuration until a patched build is available.

See how HarborGuard automates this

Affected packages

signalwire / freeswitch
< 1.11.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified