CVE-2026-49840 PUBLISHED

FreeSWITCH: Pre-authentication heap buffer overflow in libesl `Content-Length` parsing

Assigner: GitHub_M
Reserved: 01.06.2026 Published: 09.06.2026 Updated: 09.06.2026

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	signalwire
Product	freeswitch
Versions	Version < 1.11.1 is affected

References

Problem Types

CWE-20: Improper Input Validation CWE
CWE-122: Heap-based Buffer Overflow CWE
CWE-195: Signed to Unsigned Conversion Error CWE
CWE-787: Out-of-bounds Write CWE