HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-49841Published Modified CNA GitHub_M

CVE-2026-49841: FreeSWITCH: Pre-authentication heap buffer overflow in `mod_verto` HTTP POST body read

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, the mod_verto HTTP request handler allocates a fixed 2 MiB buffer for a POST application/x-www-form-urlencoded body but accepts Content-Length up to just under 10 MiB. The body-read loop is bounded by Content-Length rather than the buffer size, producing an attacker-controlled heap overflow of up to ~8 MiB -- before the HTTP basic-auth check runs. This issue has been patched in version 1.11.1.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A heap buffer overflow vulnerability exists in the mod_verto HTTP POST body handler of FreeSWITCH prior to version 1.11.1. The flaw is reachable over the network without any authentication, because the overflow occurs before the HTTP basic-auth check runs. Successful exploitation gives an attacker full read, write, and execution control over the affected process, enabling data theft, tampering, or remote code execution. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built FreeSWITCH images, in both registry scans and CI pipeline checks. Any image carrying a FreeSWITCH build older than the fix threshold is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.8 (Critical) and weighting it against each environment's compliance policy to determine urgency tier. Triage routing can surface the finding to the appropriate team inbox within each customer org based on service ownership tags and policy configuration.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers ship a corrected release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will trigger automatically once the fix becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable HTTP handler is exposed over the network; an attacker must be able to send an HTTP POST request to the FreeSWITCH mod_verto listener.

  • AuthenticationNot required

    The heap overflow is triggered before the HTTP basic-auth check executes, so no credentials are needed.

  • Victim interactionNot required

    Exploitation is fully server-side; no user action or social engineering is required.

  • Attack complexityDetail

    The exploit is reliable and condition-free: the attacker simply supplies a Content-Length value up to just under 10 MiB while the allocated buffer is only 2 MiB, with no race conditions or memory-layout dependencies required.

Blast Radius

  • Reads process memory, which may include session tokens, credentials, call-detail records, and other data held in the FreeSWITCH heap.
  • Overwrites heap data with attacker-controlled content, allowing modification of internal state, routing tables, or persisted call configuration.
  • Achieves remote code execution on the host running FreeSWITCH by corrupting heap metadata or function pointers.
  • Crashes the FreeSWITCH process entirely, taking down all active calls and telephony services on the affected node.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists yet, HarborGuard continuously re-checks the advisory on every ingest cycle and will surface a patched-image rebuild the moment version 1.11.1 or a later fix is published. In the interim, compensating controls available to HarborGuard customers include network-policy isolation to restrict inbound access to the mod_verto HTTP port to trusted source CIDR ranges only, egress filtering to limit lateral movement if the process is compromised, and feature-flag or startup-config gating to disable mod_verto loading on nodes where WebRTC gateway functionality is not required. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will open automatically once the fix version is confirmed in the upstream feed; for Critical-severity issues, median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes after the upstream fix ships.

See how HarborGuard automates this
Affected packages
  • signalwire / freeswitch
    < 1.11.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References