CVE-2026-39863
Received Received - Intake
Out-of-Bounds Access in Kamailio TCP Causes DoS Crash

Publication date: 2026-04-08

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.1.1, 6.0.6, and 5.8.8, an out-of-bounds access in the core of Kamailio (formerly OpenSER and SER) allows remote attackers to cause a denial of service (process crash) via a specially crafted data packet sent over TCP. The issue impacts Kamailio instances having TCP or TLS listeners. This vulnerability is fixed in 5.1.1, 6.0.6, and 5.8.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-39863
EUVD
EUVD-2026-20616
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
kamailio kamailio to 5.8.8 (exc)
kamailio kamailio From 6.0.0 (inc) to 6.0.6 (exc)
kamailio kamailio 6.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39863 is a high-severity vulnerability in the Kamailio SIP Server affecting versions prior to 6.1.1, 6.0.6, and 5.8.8. It is caused by an out-of-bounds access in the core TCP data processing component when handling specially crafted TCP data packets.

This flaw allows remote attackers to cause the Kamailio server process to crash, resulting in a denial of service (DoS). The vulnerability specifically impacts Kamailio instances configured with TCP or TLS listeners.

Compliance Impact

This vulnerability causes a denial of service (DoS) by crashing the Kamailio SIP server process when handling specially crafted TCP data packets. It does not result in data disclosure or modification.

Since the vulnerability does not impact confidentiality or integrity of data, it does not directly lead to breaches of data protection requirements under standards like GDPR or HIPAA.

However, the denial of service could affect availability of the SIP service, which may indirectly impact compliance if service availability is a regulatory requirement.

To maintain compliance and security best practices, affected users should upgrade to the patched versions to prevent service disruption.

Impact Analysis

This vulnerability can cause a denial of service by crashing the Kamailio server process when it receives specially crafted TCP data packets.

  • Remote attackers can exploit this vulnerability without any authentication or user interaction.
  • The attack complexity is low, meaning it can be easily exploited over the network.

As a result, the availability of the SIP signaling service provided by Kamailio can be disrupted, potentially impacting communication services relying on it.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Kamailio to one of the patched versions: 6.1.1, 6.0.6, or 5.8.8.

If you are using older branches, consider building from the git repository to apply the patch, as official packages are only provided for the two latest stable branches.

This vulnerability affects Kamailio instances configured with TCP or TLS listeners, so ensure that your deployment is updated accordingly to prevent denial of service caused by specially crafted TCP packets.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39863. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart