CVE-2026-39864
Out-of-Bounds Read in Kamailio Auth Module Causes DoS
Publication date: 2026-04-08
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kamailio | kamailio | to 5.8.7 (exc) |
| kamailio | kamailio | From 6.0.0 (inc) to 6.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39864 is a moderate severity vulnerability in the auth module of the Kamailio SIP Server versions prior to 6.0.5 and 5.8.7.
The issue occurs when user authentication is done without a database backend, following RFC2617. After a successful authentication, a specially crafted SIP packet can trigger an out-of-bounds read during additional user identity checks.
This out-of-bounds read causes Kamailio to crash, resulting in a denial of service (DoS). The vulnerability can be exploited remotely over the network, but requires high privileges and has high attack complexity.
How can this vulnerability impact me? :
This vulnerability impacts the availability of the Kamailio SIP Server by causing it to crash when exploited.
An attacker who has high privileges can remotely send a specially crafted SIP packet that triggers an out-of-bounds read, leading to a denial of service (DoS) condition.
While confidentiality and integrity are not affected, the server becoming unavailable can disrupt communications and services relying on Kamailio.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an out-of-bounds read in the auth module of Kamailio SIP Server triggered by specially crafted SIP packets after successful user authentication without a database backend.
Detection can focus on monitoring for unexpected Kamailio process crashes or denial of service symptoms following SIP authentication events.
Since the vulnerability is triggered by crafted SIP packets, network traffic analysis tools can be used to inspect SIP packets for anomalies or malformed authentication sequences.
Specific commands are not provided in the available resources, but general approaches include:
- Checking Kamailio logs for crash reports or errors related to the auth module.
- Using packet capture tools like tcpdump or Wireshark to capture and analyze SIP traffic for unusual authentication packets.
- Monitoring system processes for unexpected Kamailio crashes or restarts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Kamailio to a fixed version: 6.0.5 or 5.8.7 or later.
If upgrading immediately is not possible, consider restricting access to the Kamailio SIP server to trusted networks or users with elevated privileges, as the attack requires high privileges.
Additionally, monitor Kamailio for crashes and apply any available patches or backports from the git repository if official packages are not yet updated.
Contact the Kamailio security mailing list for further guidance or to report issues.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a denial of service (DoS) by crashing the Kamailio SIP server process, which impacts system availability.
However, the vulnerability does not affect confidentiality or integrity of data, as it involves an out-of-bounds read without data leakage or modification.
Since availability is a key component in compliance with standards like GDPR and HIPAA, this vulnerability could negatively impact compliance by causing service interruptions.
Organizations relying on Kamailio for SIP signaling should address this vulnerability promptly to maintain availability and meet regulatory requirements.