CVE-2026-39863
Out-of-Bounds Access in Kamailio TCP Causes DoS Crash
Publication date: 2026-04-08
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kamailio | kamailio | to 5.8.8 (exc) |
| kamailio | kamailio | From 6.0.0 (inc) to 6.0.6 (exc) |
| kamailio | kamailio | 6.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39863 is a high-severity vulnerability in the Kamailio SIP Server affecting versions prior to 6.1.1, 6.0.6, and 5.8.8. It is caused by an out-of-bounds access in the core TCP data processing component when handling specially crafted TCP data packets.
This flaw allows remote attackers to cause the Kamailio server process to crash, resulting in a denial of service (DoS). The vulnerability specifically impacts Kamailio instances configured with TCP or TLS listeners.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by crashing the Kamailio server process when it receives specially crafted TCP data packets.
- Remote attackers can exploit this vulnerability without any authentication or user interaction.
- The attack complexity is low, meaning it can be easily exploited over the network.
As a result, the availability of the SIP signaling service provided by Kamailio can be disrupted, potentially impacting communication services relying on it.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Kamailio to one of the patched versions: 6.1.1, 6.0.6, or 5.8.8.
If you are using older branches, consider building from the git repository to apply the patch, as official packages are only provided for the two latest stable branches.
This vulnerability affects Kamailio instances configured with TCP or TLS listeners, so ensure that your deployment is updated accordingly to prevent denial of service caused by specially crafted TCP packets.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a denial of service (DoS) by crashing the Kamailio SIP server process when handling specially crafted TCP data packets. It does not result in data disclosure or modification.
Since the vulnerability does not impact confidentiality or integrity of data, it does not directly lead to breaches of data protection requirements under standards like GDPR or HIPAA.
However, the denial of service could affect availability of the SIP service, which may indirectly impact compliance if service availability is a regulatory requirement.
To maintain compliance and security best practices, affected users should upgrade to the patched versions to prevent service disruption.