HIGH 7.5

CVE-2026-49847: FreeSWITCH WebSocket JSON Denial-of-Service (Stack Overflow)

FreeSWITCH versions prior to 1.11.1 are vulnerable to a denial-of-service attack that can be triggered by sending a specially crafted WebSocket message containing deeply nested JSON data. An attacker requires no authentication and can crash the entire FreeSWITCH process from the network, immediately terminating all active calls and sessions on the affected host. The vulnerability exploits improper recursion handling in JSON parsing, causing a stack overflow that the kernel stops before any memory corruption can be weaponized.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-674
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes the FreeSWITCH process via stack overflow, terminating all calls and sessions on the host. The recursion drives the worker thread's stack pointer into the stack guard page, raising SIGSEGV from the kernel before any usable write primitive develops. This issue has been patched in version 1.11.1.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in FreeSWITCH's WebSocket frame handling logic, specifically in the parsing of deeply nested JSON documents received over unauthenticated connections. When a worker thread processes the malicious frame, recursive JSON parsing drives the stack pointer into the guard page, triggering SIGSEGV from the kernel. The stack overflow occurs before exploitation can progress to arbitrary code execution, meaning this is a pure denial-of-service condition rather than a memory safety bypass. The issue maps to CWE-674 (Uncontrolled Recursion). Patching introduces additional recursion depth checks or iterative parsing to prevent stack exhaustion.

Business impact

For organizations operating FreeSWITCH as a production voice/video communication platform, this vulnerability enables anyone on the network to stop all calls and tear down active sessions without warning. Service downtime could range from seconds (auto-restart) to minutes (manual intervention). In telecom, healthcare, contact center, or emergency dispatch environments, even brief availability loss can affect SLAs, customer trust, and operational continuity. The unauthenticated, network-accessible attack surface means no prior foothold is required.

Affected systems

FreeSWITCH versions prior to 1.11.1 are affected. Any deployment that exposes the WebSocket interface to untrusted networks—whether directly or through a load balancer or reverse proxy—is at risk. The vulnerability requires no special configuration; the vulnerable code is present in the default build. Organizations running 1.11.1 or later are unaffected.

Exploitability

This vulnerability has a CVSS 3.1 score of 7.5 (HIGH) reflecting high exploitability: no authentication is required, network access is trivial, and attack complexity is low. A single WebSocket frame containing nested JSON can be crafted with basic tooling. However, no public exploit code or proof-of-concept details have been disclosed as of the advisory date, and the vulnerability is not yet tracked in the CISA Known Exploited Vulnerabilities catalog. The barrier to exploitation is technical knowledge of the FreeSWITCH WebSocket protocol rather than a weaponized tool.

Remediation

Upgrade FreeSWITCH to version 1.11.1 or later. The patch hardens JSON parsing to prevent uncontrolled recursion. For organizations unable to patch immediately, consider network segmentation to limit WebSocket access to trusted clients only, or disable the WebSocket interface if not required for your deployment. Auto-restart mechanisms can mitigate transient impact but do not address the underlying vulnerability.

Patch guidance

Apply FreeSWITCH update 1.11.1 as soon as feasible, prioritizing production systems that handle real-time communications. Test in a staging environment first to confirm compatibility with your deployment (custom modules, call routing logic, integration points). The patch is likely a minor version bump and should be backward compatible; consult the FreeSWITCH release notes to verify. Coordinate patching during maintenance windows to minimize disruption to active calls.

Detection guidance

Monitor for abnormal FreeSWITCH process crashes or core dumps, particularly if they coincide with WebSocket traffic spikes. Log WebSocket frame arrivals and flag frames with unusually deep JSON nesting (recursion depth >50 levels is suspect). Implement rate limiting on WebSocket connections from unauthenticated clients. Intrusion detection systems can inspect WebSocket payloads for pathological JSON structures, though signature-based detection may require custom rules. Monitor process exit codes for SIGSEGV in FreeSWITCH logs.

Why prioritize this

This is a HIGH-severity denial-of-service vulnerability affecting a critical telecom infrastructure component. The unauthenticated network-accessible attack vector, combined with the immediate and complete service impact (all calls drop), makes it a significant business risk. While not in the CISA KEV catalog yet, the simplicity of exploitation and the lack of user interaction required mean organizations should prioritize patching to maintain service availability. Risk is further amplified in industries (healthcare, emergency services, contact centers) where call continuity is mission-critical.

Risk score, explained

CVSS 3.1 score of 7.5 (HIGH) reflects: (1) Network accessibility with no prerequisites (AV:N, PR:N); (2) Low attack complexity (AC:L); (3) Complete availability impact (A:H) affecting all concurrent users; (4) no impact to confidentiality or integrity. The score appropriately captures the availability threat while reflecting that no data breach or code execution occurs. Organizations relying on FreeSWITCH for real-time communications should treat this as a high-priority patch candidate.

Frequently asked questions

Can this vulnerability be exploited from the internet, or only from the local network?

The vulnerability is network-accessible from any host that can reach the FreeSWITCH WebSocket port. If that port is exposed to the internet (common in cloud deployments or when behind a load balancer), remote attackers can exploit it. If the WebSocket port is isolated to a private network or firewall-restricted, the attack surface is reduced but not eliminated for insiders or adjacent network segments.

What happens when the attack occurs—does it corrupt data or lose calls permanently?

When the stack overflow triggers SIGSEGV, the FreeSWITCH process terminates abruptly. All active calls and sessions are dropped immediately from the host's perspective. Call state is typically lost unless it's persisted to an external database. However, the vulnerability does not corrupt the database itself or affect other servers in a clustered deployment. Calls may fail over or retry depending on your SIP infrastructure; data integrity is not compromised.

Do I need to upgrade if I don't use WebSocket connections?

Yes. If WebSocket is loaded or enabled (the default in most FreeSWITCH builds), the vulnerability is present regardless of whether you actively use it for client connections. The attack surface only disappears if you explicitly disable the WebSocket module or run a custom build without it. Verify your FreeSWITCH module configuration and consider disabling WebSocket if unused.

What is the difference between this vulnerability and a typical application crash?

This is a stack overflow caused by uncontrolled recursion in JSON parsing, not a random bug. An attacker can reliably trigger it by crafting a specific malicious WebSocket frame. It meets the definition of a denial-of-service vulnerability because the attack is reproducible, requires minimal resources, and guarantees service interruption. A typical crash might be intermittent or require specific conditions; this one is deterministic.

This analysis is based on official CVE data and FreeSWITCH vendor advisories current as of June 2026. Specific patch version numbers (1.11.1) must be verified against the official FreeSWITCH release page before deployment. Exploitability claims reflect the known attack surface as of the publication date; proof-of-concept code or active exploitation may alter risk assessment. Organizations should conduct their own testing and impact analysis in staging environments before patching production systems. This vulnerability does not affect FreeSWITCH versions 1.11.1 and later. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).