CVE-2026-49472
Undergoing Analysis Undergoing Analysis - In Progress
Out-of-Bounds Read in FreeSWITCH

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: GitHub, Inc.

Description
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-49472
EUVD
EUVD-2026-35469
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
signalwire freeswitch to 1.11.0 (exc)
signalwire freeswitch 1.11.0
freeswitch freeswitch to 1.11.0 (exc)
libexpat libexpat *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in FreeSWITCH, specifically in a function called PREFIX(prologTok)() located in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c. This function was cloned from an outdated and vulnerable version of libexpat and did not receive the necessary security patch. Because of this, FreeSWITCH remains exposed to potential security risks related to this function.

The weakness is classified under CWE-116, which involves improper encoding or escaping of output. This can disrupt the intended structure of messages during communication, potentially leading to unintended behavior or memory corruption.

Impact Analysis

This vulnerability can lead to unintended behavior or memory corruption depending on how the vulnerable function is used within FreeSWITCH. The CVSS score of 5.3 indicates a moderate severity with a potential high impact on system availability.

Specifically, it may cause disruptions in the software's operation, possibly affecting the availability of telecom services running on FreeSWITCH.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to update FreeSWITCH to version 1.11.0 or later, where the security patch addressing the vulnerable function PREFIX(prologTok)() has been applied.

This update includes multiple security fixes and improvements, ensuring that the outdated and vulnerable code derived from libexpat is replaced with a secure implementation.

  • Upgrade FreeSWITCH to version 1.11.0 or newer.
  • Verify that your system no longer uses the vulnerable function by confirming the update.
Compliance Impact

The vulnerability in FreeSWITCH involves a function derived from an outdated and unpatched version of libexpat, which can lead to unintended behavior, memory corruption, or other security problems. This could potentially impact system availability due to its moderate severity (CVSS 5.3) and classification under CWE-116 (improper encoding or escaping of output).

However, there is no specific information provided about how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49472. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart