HIGH 7.5

CVE-2026-49475: FreeSWITCH STUN Parser Out-of-Bounds Memory Access (Denial of Service)

FreeSWITCH, a popular open-source telecom platform used to build VoIP and communication systems, contains a flaw in how it processes STUN packets—a protocol used for network address translation and firewall traversal in voice communications. An attacker sending a specially crafted STUN packet with a mismatched attribute length can cause the software to read and write beyond allocated memory buffers. This out-of-bounds memory access occurs in the media buffer handling logic and can crash the affected FreeSWITCH instance, disrupting voice and video services. The vulnerability affects all versions prior to 1.11.0.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-125, CWE-20, CWE-787
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, a STUN packet whose declared attribute length is shorter than the structure the parser casts to causes the parser to read and write past the end of the attribute, producing an out-of-bounds memory access on the per-leg media buffer. This issue has been patched in version 1.11.0.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper input validation in FreeSWITCH's STUN (Session Traversal Utilities for NAT) packet parser. When processing STUN attributes, the parser casts incoming packet data to a specific structure without verifying that the declared attribute length matches the expected size of that structure. An attacker can supply a STUN packet where the attribute length field is shorter than the structure definition, allowing the parser to access memory beyond the declared attribute boundary. This out-of-bounds read and write affects the per-leg media buffer—the memory region allocated for handling media streams on individual call legs. The flaw is rooted in CWE-125 (out-of-bounds read), CWE-20 (improper input validation), and CWE-787 (out-of-bounds write).

Business impact

A successful exploit results in denial of service: the affected FreeSWITCH process crashes, immediately terminating active calls and preventing new calls from being established. For organizations relying on FreeSWITCH as their primary or backup voice infrastructure—including enterprises with on-premises PBX deployments, hosting providers, or VoIP carriers—exploitation can cause service outages affecting hundreds or thousands of users. The vulnerability carries no risk of confidentiality or integrity compromise, but availability impact is complete and immediate. Recovery requires manual process restart, causing business continuity gaps.

Affected systems

FreeSWITCH versions prior to 1.11.0 are vulnerable. This includes all 1.10.x releases and earlier. Deployments include on-premises PBX systems, cloud-hosted communication platforms, and telecom infrastructure providers using FreeSWITCH as the core switching engine. Any FreeSWITCH instance exposed to untrusted network sources capable of sending STUN packets is at risk; this typically includes any publicly accessible voice service or systems accepting calls from external networks.

Exploitability

Exploitation requires no authentication, no user interaction, and no special privileges. An attacker needs only network-level access to send a single malicious STUN packet to the target FreeSWITCH instance. STUN packets are typically sent on UDP ports 3478 (standard) or other configured ports. The attack can be executed remotely over the network with minimal complexity, making the barrier to exploitation low. However, the vulnerability requires precise knowledge of the packet format and structure alignment to trigger reliably; the attack is not wormable or self-propagating.

Remediation

Upgrade FreeSWITCH to version 1.11.0 or later. Organizations unable to upgrade immediately should implement network-level mitigation: restrict STUN traffic (UDP port 3478 and any alternative STUN ports) to trusted sources only via firewall rules. Additionally, monitor FreeSWITCH process logs and system crash reports for unexpected terminations that may indicate exploitation attempts.

Patch guidance

Apply the patch by upgrading to FreeSWITCH 1.11.0 or any subsequent release. Consult the FreeSWITCH project advisory for specific upgrade procedures, as the process varies by deployment method (source compilation, package manager, containerized deployment). Test the upgrade in a non-production environment first, particularly if you have custom modules or configuration. The fix involves corrective input validation in the STUN parser to ensure declared attribute lengths match expected structure sizes.

Detection guidance

Monitor for FreeSWITCH process crashes or unexpected terminations, particularly when correlated with STUN packet traffic. Enable debug logging in FreeSWITCH's STUN module if available to log malformed STUN packets. Network-based detection can flag STUN packets with inconsistent or suspiciously short attribute length fields, though this requires packet inspection at the application layer. Host-based indicators include segmentation faults or memory violation errors in FreeSWITCH core dumps if core dumps are enabled.

Why prioritize this

This vulnerability merits immediate patching priority due to its high CVSS score (7.5), zero-knowledge barrier to exploitation, and direct impact on availability. While not listed in CISA's KEV catalog (indicating no evidence of active exploitation as of the vulnerability publication date), the ease of triggering and the critical role FreeSWITCH plays in voice infrastructure make it an attractive target once exploits become public. Any FreeSWITCH instance exposed to untrusted networks should be treated as under immediate threat.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects an attack vector that is network-accessible, requires no privileges or user interaction, and causes complete denial of service to the affected service. The severity does not reach CRITICAL only because there is no confidentiality or integrity impact; an attacker cannot read data, modify calls, or escalate privileges through this flaw. The score accurately reflects the real-world impact: service disruption without data breach.

Frequently asked questions

Can this vulnerability be exploited to steal voice data or eavesdrop on calls?

No. The out-of-bounds memory access causes a denial of service via process crash. The vulnerability does not enable reading sensitive call data, recording calls, or obtaining authentication credentials. The impact is limited to availability.

Do I need to upgrade if my FreeSWITCH instance is behind a firewall and only receives calls from trusted internal sources?

The risk is significantly lower in a fully internal network with access controls, but upgrade to 1.11.0 is still recommended as a defense-in-depth measure. If internal users or systems can be compromised, or if STUN traffic is received from untrusted intermediaries or carriers, treat the upgrade as urgent.

What versions of FreeSWITCH are affected?

All versions prior to 1.11.0 are vulnerable. This includes all 1.10.x and earlier releases. Check your installed version with 'fs_cli -x version' and upgrade if you are below 1.11.0.

Is there a workaround if I cannot upgrade immediately?

Network-level mitigation is your best option: restrict STUN traffic to trusted IP sources via firewall rules, or disable STUN entirely if your use case permits. However, these workarounds do not eliminate the vulnerability and are temporary measures until patching is completed.

This analysis is based on the published CVE description and does not constitute a complete security assessment. Organizations should verify patch availability and compatibility with their specific FreeSWITCH deployment version and configuration. CVSS scores represent standardized severity ratings but may not reflect risk in your specific environment; consider network exposure, asset criticality, and detection capabilities when prioritizing remediation. Consult the FreeSWITCH project's official security advisory for authoritative guidance on affected versions, patches, and remediation steps. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).