How is CVE-2026-49842 exploited?

Network reachability (required): The attacker must reach the FreeSWITCH WebSocket endpoint over the network; no local or physical access is needed. Authentication (not-required): The speed-test frame handler is invoked before any authentication check, so no credentials or session token are needed. Victim interaction (not-required): The server processes the malformed speed-test frame automatically upon receipt; no user action is involved. Attack complexity (info): Exploitation is reliable and condition-free: sending a single crafted #SPU frame with a large declared size is sufficient to trigger the amplified response.

What is the impact of CVE-2026-49842?

An attacker exhausts the server's outbound network bandwidth by triggering responses on the order of 20 GB per request from a short WebSocket message. Repeated requests can sustain saturation of the host's network interface, denying service to legitimate SIP and WebRTC sessions. No confidential data is read and no stored data is modified; impact is limited to availability.

Back to search

HIGHCVE-2026-49842Published 2026-06-09Modified 2026-06-09CNA GitHub_M

CVE-2026-49842: FreeSWITCH: Pre-authentication bandwidth amplification via `mod_verto` speed-test frames

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's WebSocket frame loop intercepts a #-prefixed speed-test protocol (#SPU / #SPB / #SPE) before any authentication check. The declared payload size in #SPU was parsed with atoi() and only rejected non-positive values, so an unauthenticated peer could request up to INT_MAX bytes. The server then wrote roughly size * 10 bytes back during the download phase, on the order of 20 GB per request, yielding strong outbound bandwidth amplification from a short request. This issue has been patched in version 1.11.1.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A bandwidth amplification vulnerability exists in FreeSWITCH's mod_verto WebSocket handler, affecting versions before 1.11.1. The flaw is reachable over the network with no authentication required: the speed-test protocol (#SPU/#SPB/#SPE) is processed before any credential check, and the declared payload size is parsed without an upper bound, allowing an unauthenticated remote peer to trigger roughly 20 GB of outbound traffic per request. Successful exploitation causes severe service disruption by exhausting network bandwidth. A patched-image rebuild at version 1.11.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle FreeSWITCH, across all registered registries and CI pipelines.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy to determine escalation priority; triage routing to the appropriate team inbox within each customer organization is available automatically.

Available

Patch

Because the upstream fix is published at version 1.11.1, a patched-image rebuild targeting that version is available on HarborGuard for any environment found running an affected image. For customers who opt into auto-remediation, the platform can perform the rebuild, run a regression test suite, and open a pull request against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the FreeSWITCH WebSocket endpoint over the network; no local or physical access is needed.
AuthenticationNot required
The speed-test frame handler is invoked before any authentication check, so no credentials or session token are needed.
Victim interactionNot required
The server processes the malformed speed-test frame automatically upon receipt; no user action is involved.
Attack complexityDetail
Exploitation is reliable and condition-free: sending a single crafted #SPU frame with a large declared size is sufficient to trigger the amplified response.

Blast Radius

An attacker exhausts the server's outbound network bandwidth by triggering responses on the order of 20 GB per request from a short WebSocket message.
Repeated requests can sustain saturation of the host's network interface, denying service to legitimate SIP and WebRTC sessions.
No confidential data is read and no stored data is modified; impact is limited to availability.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49842 is active and capable of flagging any image that packages FreeSWITCH below version 1.11.1, including internally built images. Because the upstream maintainers have published a fix at 1.11.1, a patched-image rebuild is available for affected environments. For customers who opt into auto-remediation, HarborGuard can rebuild the image at the fixed version, execute a regression run, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Until a rebuild is deployed, compensating controls worth considering include network-policy rules that restrict access to the FreeSWITCH WebSocket port (typically 8081/8082) to known-good source ranges, and egress rate limiting at the host or container level to cap outbound bandwidth that the amplification loop can consume.

See how HarborGuard automates this

Affected packages

signalwire / freeswitch
< 1.11.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified