CVE Catalog

CVE-2026-49847

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

12th percentile - higher than 12% of all known CVEs

Summary

In FreeSWITCH versions prior to 1.11.1, there is a vulnerability that allows remote denial of service by sending a single unauthenticated WebSocket frame containing a deeply nested JSON document. This causes a stack overflow, terminating all calls and sessions on the host.

Risk Assessment

An attacker can exploit this vulnerability to disrupt telecommunications services, leading to communication outages and potential financial losses for the organization.

Recommendation

It is recommended to upgrade to FreeSWITCH version 1.11.1 or later to mitigate this vulnerability and secure the system against potential attacks.

Original NVD description (English source)

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes the FreeSWITCH process via stack overflow, terminating all calls and sessions on the host. The recursion drives the worker thread's stack pointer into the stack guard page, raising SIGSEGV from the kernel before any usable write primitive develops. This issue has been patched in version 1.11.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS