CVE-2026-45771: FreeSWITCH XML Billion Laughs DoS – Unauthenticated Remote Denial of Service
FreeSWITCH versions before 1.11.0 contain a denial-of-service vulnerability in their XML parser that allows an unauthenticated attacker to crash or severely degrade the system by sending a specially crafted SIP message. The attack exploits a classic "billion laughs" XML expansion flaw, where nested entity definitions cause exponential memory and CPU consumption. Because the malicious payload is processed before authentication checks, an attacker on the network can trigger the vulnerability without credentials—a single request is enough to cause significant resource exhaustion.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-776
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH's bundled XML parser expands nested <!ENTITY> declarations without a depth or count bound, so a small DTD can describe a body that expands exponentially ("billion laughs"). The PIDF body of a SIP PUBLISH is fed to this parser before any digest check, letting an unauthenticated network attacker force unbounded CPU and memory consumption with a single request. This issue has been patched in version 1.11.0.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from FreeSWITCH's bundled XML parser, which recursively expands nested <!ENTITY> declarations in Document Type Definitions (DTDs) without enforcing depth or count limits. When a SIP PUBLISH message containing a PIDF (Presence Information Data Format) body with deeply nested entity definitions reaches the parser, it expands exponentially, consuming unbounded CPU and memory resources. Critically, the PIDF body is parsed before digest authentication validation occurs, allowing network-unauthenticated attackers to trigger the condition. This is a textbook implementation of the "billion laughs" or XML bomb attack pattern (CWE-776: Improper Restriction of Recursive Entity References in DTDs).
Business impact
A successful attack causes immediate denial of service to the FreeSWITCH telecommunications platform. This translates to call handling outages, dropped sessions, and unavailable voice/video services for any organization relying on the affected version. Unlike many DoS vulnerabilities requiring sustained traffic, this exploit can be triggered by a single request, making it trivial to weaponize. Recovery typically requires service restart. For carriers, hosted VoIP providers, and enterprise telephony deployments, even brief outages disrupt business continuity and erode user trust. The unauthenticated nature of the attack means no valid credentials or prior system access is required—any network-adjacent attacker can exploit it.
Affected systems
FreeSWITCH prior to version 1.11.0 is vulnerable. Organizations should inventory all FreeSWITCH deployments and check version numbers immediately. This includes on-premise PBX systems, hosted VoIP solutions, and any telecommunications infrastructure built on FreeSWITCH. Self-hosted and cloud-based instances are equally at risk if not updated. Note that FreeSWITCH is widely used in open-source telephony stacks and may be embedded in third-party telecommunications appliances; verify your vendor's FreeSWITCH baseline version.
Exploitability
Exploitability is very high. The attack requires no authentication, no user interaction, and minimal attacker sophistication—crafting a SIP PUBLISH with a malicious PIDF body containing nested DTD entities is straightforward. An attacker needs only network reachability to a FreeSWITCH instance (typically on standard SIP ports 5060/5061 or custom configurations). The CVSS score of 7.5 (HIGH) reflects the ease of exploitation and complete availability impact, though confidentiality and integrity are unaffected. No KEV status currently assigned, but the combination of ease of exploit and immediate impact makes this a high-priority patch candidate.
Remediation
Upgrade FreeSWITCH to version 1.11.0 or later as soon as possible. This is the definitive fix—the patched version enforces limits on entity expansion depth and count, preventing the billion laughs attack. Before patching, consider network segmentation to restrict who can send SIP traffic to FreeSWITCH instances, though this is a workaround, not a solution. Monitoring for unusual SIP PUBLISH requests with malformed or deeply nested DTD structures may detect exploit attempts, but will not prevent the damage. Do not rely on authentication-based mitigations, since the vulnerability is triggered before auth checks.
Patch guidance
Update to FreeSWITCH 1.11.0 or any later stable release. Follow your organization's standard change management process: test the update in a non-production environment first, document the current version and configuration, back up any custom configurations or dialplans, then apply the patch during a maintenance window. Monitor system stability and call handling metrics post-update. If you are using FreeSWITCH as part of a third-party VoIP appliance or hosted provider, contact your vendor to confirm patch availability and timeline. Do not delay—this is a trivial unauthenticated DoS with immediate impact.
Detection guidance
Monitor for SIP PUBLISH requests directed at FreeSWITCH instances, particularly those containing PIDF bodies with unusual XML structure or deeply nested <!ENTITY> declarations. Inspect firewall and SIP proxy logs for anomalous PUBLISH traffic from external or untrusted sources. Watch for sudden spikes in CPU usage, memory consumption, or process crashes on FreeSWITCH servers, especially correlated with inbound SIP traffic. IDS/IPS signatures targeting billion laughs XML attacks may trigger on malicious payloads. Application-level logging in FreeSWITCH (if enabled) may show parser errors or hangs; check for correlations between those errors and service degradation. Be aware that a single malicious request causes immediate impact, so detection may occur too late for prevention—focus on rapid patching and network access controls.
Why prioritize this
This vulnerability merits urgent priority (P1/Critical patch cycle) due to: (1) unauthenticated network exploitability requiring zero credentials, (2) trivial attack execution—a single malicious SIP message triggers denial of service, (3) high-value target set (VoIP providers and carriers depend on FreeSWITCH), (4) immediate business impact on telecommunications availability, and (5) no meaningful workaround short of network isolation. Organizations running FreeSWITCH should treat this as a same-day or next-business-day patch target, not a routine update.
Risk score, explained
CVSS 7.5 (HIGH) reflects a network-exploitable vulnerability with no authentication or user interaction required, resulting in complete availability loss. The score appropriately weights the ease of exploitation and immediate DoS impact. However, the fact that a single request causes service-level degradation, combined with the unauthenticated and network-adjacent attack vector, argues for treating this as higher priority than the numeric score alone might suggest—particularly for organizations where telecommunications availability is critical to operations. The absence of KEV status does not reduce operational risk; it may simply reflect the recent publication date.
Frequently asked questions
Can I mitigate this vulnerability without upgrading?
Not reliably. Network segmentation to restrict SIP access to trusted sources reduces exposure, but because the attack requires only network reachability and no credentials, any untrusted network path to your FreeSWITCH instance is a potential attack vector. Disabling SIP PUBLISH entirely (if your use case allows) would eliminate the specific attack surface, but this is a severe functional limitation. The only proper fix is to upgrade to version 1.11.0 or later.
Does this vulnerability affect my hosted VoIP provider?
It depends on whether they run FreeSWITCH and have patched. Contact your provider immediately and ask: (1) Do you use FreeSWITCH? (2) What version? (3) Have you patched to 1.11.0 or later? Do not assume they are aware of the vulnerability. If they have not patched, escalate to their security team and request a patch timeline.
What does a billion laughs attack do, and why is it dangerous here?
A billion laughs attack exploits XML parser recursion by defining entities that reference other entities, causing exponential expansion. A small, innocent-looking DTD definition expands to gigabytes of data in memory, consuming CPU and RAM until the system crashes. Here, FreeSWITCH parses the PIDF body before authentication, so an attacker can trigger this from the network without any credentials. A single request is enough to cause total service collapse.
Should I assume this vulnerability is being actively exploited?
There is no public exploit code or confirmed active exploitation as of now, but the simplicity of the attack and the high impact mean exploitation is trivial and may have already occurred. Do not wait for public proof-of-concept; treat this as exploitable-in-the-wild risk and patch immediately.
This analysis is provided for informational purposes to help security teams assess and remediate CVE-2026-45771. It is not a substitute for official vendor security advisories or your organization's own risk assessment. Always verify patch availability, compatibility, and testing in your environment before deploying updates. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this information. Consult FreeSWITCH official documentation and your vendor security guidance for definitive remediation steps. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2016-20062HIGHSQL Injection in Simply Poll 1.4.1 WordPress Plugin - Unauthenticated Data Theft
- CVE-2016-20063HIGHSQL Injection in Single Personal Message 1.0.3 – Credential & Data Theft Risk
- CVE-2016-20065HIGHUnauthenticated SQL Injection in Product Catalog 8 WordPress Plugin
- CVE-2017-20243HIGHWordPress Car Park Booking Plugin SQL Injection Vulnerability
- CVE-2017-20244HIGHSQL Injection in Wow Forms WordPress Plugin v2.1 – Critical Unauth Database Extraction
- CVE-2017-20245HIGHWow Viral Signups Plugin SQL Injection Vulnerability – Analysis & Patches
- CVE-2017-20246HIGHKittyCatfish 2.2 SQL Injection Vulnerability – WordPress Plugin Security Alert
- CVE-2017-20247HIGHSQL Injection in PICA Photo Gallery 1.0