CVE-2026-49472

Analyzed Analyzed - Analysis Complete

Out-of-Bounds Read in FreeSWITCH

Publication date: 2026-06-09

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-10

Generated

2026-06-30

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-28

NVD

CVE-2026-49472

EUVD

EUVD-2026-35469

Affected Vendors & Products

Vendor	Product	Version / Range
freeswitch	freeswitch	to 1.11.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-116	The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Attack-Flow Graph

Executive Summary

The vulnerability exists in FreeSWITCH, specifically in a function called PREFIX(prologTok)() located in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c. This function was cloned from an outdated and vulnerable version of libexpat and did not receive the necessary security patch. Because of this, FreeSWITCH remains exposed to potential security risks related to this function.

The weakness is classified under CWE-116, which involves improper encoding or escaping of output. This can disrupt the intended structure of messages during communication, potentially leading to unintended behavior or memory corruption.

Impact Analysis

This vulnerability can lead to unintended behavior or memory corruption depending on how the vulnerable function is used within FreeSWITCH. The CVSS score of 5.3 indicates a moderate severity with a potential high impact on system availability.

Specifically, it may cause disruptions in the software's operation, possibly affecting the availability of telecom services running on FreeSWITCH.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to update FreeSWITCH to version 1.11.0 or later, where the security patch addressing the vulnerable function PREFIX(prologTok)() has been applied.

This update includes multiple security fixes and improvements, ensuring that the outdated and vulnerable code derived from libexpat is replaced with a secure implementation.

Upgrade FreeSWITCH to version 1.11.0 or newer.
Verify that your system no longer uses the vulnerable function by confirming the update.

Compliance Impact

The vulnerability in FreeSWITCH involves a function derived from an outdated and unpatched version of libexpat, which can lead to unintended behavior, memory corruption, or other security problems. This could potentially impact system availability due to its moderate severity (CVSS 5.3) and classification under CWE-116 (improper encoding or escaping of output).

However, there is no specific information provided about how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Hi! I’m here to help you understand CVE-2026-49472. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70