CVE-2026-49847
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
In FreeSWITCH versions prior to 1.11.1, there is a vulnerability that allows remote denial of service by sending a single unauthenticated WebSocket frame containing a deeply nested JSON document. This causes a stack overflow, terminating all calls and sessions on the host.
Risk Assessment
An attacker can exploit this vulnerability to disrupt telecommunications services, leading to communication outages and potential financial losses for the organization.
Recommendation
It is recommended to upgrade to FreeSWITCH version 1.11.1 or later to mitigate this vulnerability and secure the system against potential attacks.
Original NVD description (English source)
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes the FreeSWITCH process via stack overflow, terminating all calls and sessions on the host. The recursion drives the worker thread's stack pointer into the stack guard page, raising SIGSEGV from the kernel before any usable write primitive develops. This issue has been patched in version 1.11.1.

