How is CVE-2026-49847 exploited?

Network reachability (required): The attacker must be able to reach the FreeSWITCH WebSocket endpoint over the network; no local or physical access is needed, but the service port must be exposed to the attacker. Authentication (not-required): No account or credential is needed; a single unauthenticated WebSocket frame is sufficient to trigger the crash. Victim interaction (not-required): The attacker sends the malicious frame directly to the server; no user action or social engineering is involved. Attack complexity (info): Exploitation is reliable and condition-free: crafting a deeply nested JSON document requires no timing, memory-layout knowledge, or special environmental state.

What is the impact of CVE-2026-49847?

Crashes the FreeSWITCH process immediately, dropping every active call and session on the host. Raises an unhandled SIGSEGV that terminates the worker thread and the parent process, causing a full service outage until the process is restarted. No confidential data is read and no persistent state is modified; impact is limited to availability.

Back to search

HIGHCVE-2026-49847Published 2026-06-09Modified 2026-06-09CNA GitHub_M

CVE-2026-49847: FreeSWITCH: Stack overflow in bundled cJSON parser via deeply nested JSON

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes the FreeSWITCH process via stack overflow, terminating all calls and sessions on the host. The recursion drives the worker thread's stack pointer into the stack guard page, raising SIGSEGV from the kernel before any usable write primitive develops. This issue has been patched in version 1.11.1.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Stack-based buffer overflow (stack exhaustion via recursive JSON parsing) in FreeSWITCH's bundled cJSON parser allows a remote, unauthenticated attacker to crash the FreeSWITCH process by sending a single WebSocket frame containing a deeply nested JSON document. The recursion drives the worker thread's stack pointer into the kernel stack guard page, raising SIGSEGV and terminating all active calls and sessions on the host. No authentication or victim interaction is required; the service only needs to be reachable over the network. A patched-image rebuild at version 1.11.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-49847 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle FreeSWITCH or its cJSON dependency directly.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting that score against each environment's compliance policy to determine urgency. Findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no fix version was published at the time of this record's ingestion, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available at the fixed version the moment the upstream maintainers ship one. For customers who opt into auto-remediation, the rebuild will trigger automatically, followed by a regression-test run and a PR opened against affected workloads, subject to compliance policy.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the FreeSWITCH WebSocket endpoint over the network; no local or physical access is needed, but the service port must be exposed to the attacker.
AuthenticationNot required
No account or credential is needed; a single unauthenticated WebSocket frame is sufficient to trigger the crash.
Victim interactionNot required
The attacker sends the malicious frame directly to the server; no user action or social engineering is involved.
Attack complexityDetail
Exploitation is reliable and condition-free: crafting a deeply nested JSON document requires no timing, memory-layout knowledge, or special environmental state.

Blast Radius

Crashes the FreeSWITCH process immediately, dropping every active call and session on the host.
Raises an unhandled SIGSEGV that terminates the worker thread and the parent process, causing a full service outage until the process is restarted.
No confidential data is read and no persistent state is modified; impact is limited to availability.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against images in every connected registry and pipeline within minutes of advisory ingestion, covering both official FreeSWITCH images and any custom image that bundles the affected cJSON parser. Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on each ingest cycle and will make a patched-image rebuild available automatically once the upstream maintainers ship a fix. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, where compliance policy permits. In the interim, compensating controls available for consideration include network-policy isolation (restricting WebSocket port exposure to known-good source ranges), egress filtering at the ingress layer, and where operationally feasible, disabling unauthenticated WebSocket access via FreeSWITCH's ACL or proxy configuration until a patched image becomes available.

See how HarborGuard automates this

Affected packages

signalwire / freeswitch
< 1.11.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified