HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-49840Published Modified CNA GitHub_M

CVE-2026-49840: FreeSWITCH: Pre-authentication heap buffer overflow in libesl `Content-Length` parsing

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A pre-authentication heap buffer overflow exists in FreeSWITCH's libesl library, specifically in the esl_recv_event() function. The function parses Content-Length headers using atol() without validating sign or magnitude, then passes the result directly to malloc(), allowing a malicious or man-in-the-middle ESL peer to send a negative Content-Length value and corrupt the heap before any authentication takes place. Successful exploitation enables an attacker to tamper with heap memory or crash any process linked against libesl, with no credentials required. A patched-image rebuild at version 1.11.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-49840 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle libesl or FreeSWITCH. Any image containing a vulnerable version of signalwire/freeswitch below 1.11.1 will surface as affected in the HarborGuard scan pipeline.

Available
Triage

Triage is available with a CVSS v3.1 score of 9.1 (CRITICAL), surfaced alongside per-environment compliance policy weighting so teams can calibrate severity against their own risk thresholds. Routing to the appropriate team inbox within each customer organization is handled automatically based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at FreeSWITCH version 1.11.1 becomes available in HarborGuard as soon as the fix version is confirmed against the affected image layer. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the ESL service over the network to send a crafted Content-Length frame.

  • AuthenticationNot required

    No credentials are needed; the malformed frame can be sent before the client authenticates to the ESL peer.

  • Victim interactionNot required

    No user action is required; the vulnerable code path is triggered automatically on receipt of the malicious frame.

  • Attack complexityDetail

    Exploit conditions are reliable and free of environmental prerequisites; the attacker only needs to send a single crafted frame with a negative Content-Length value.

Blast Radius

  • An attacker corrupts heap memory in any process linked against libesl, which can be leveraged to manipulate internal data structures or gain control of execution flow.
  • An attacker crashes the targeted FreeSWITCH process or any linked client application, taking telephony or signaling services offline.
  • Heap corruption may enable an attacker to overwrite adjacent allocations, altering call routing logic, session state, or configuration data held in memory.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49840 fires within minutes of ingestion for any image containing FreeSWITCH below version 1.11.1, including custom images that vendor libesl. Because a fix version (1.11.1) exists, a patched-image rebuild is available immediately upon match. For customers with auto-remediation enabled, the typical flow is a rebuilt image at 1.11.1, a regression test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval before merging, HarborGuard surfaces the proposed change in the remediation queue with the CVSS 9.1 score and policy weight pre-populated for reviewer context. Customers not yet on auto-remediation should prioritize isolating ESL listener ports via network policy to restrict which peers can establish ESL connections, reducing the man-in-the-middle attack surface until the image rebuild is applied.

See how HarborGuard automates this
Affected packages
  • signalwire / freeswitch
    < 1.11.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
References