Executive Summary

CVE-2026-49475 is a high-severity vulnerability in FreeSWITCH, an open-source telephony platform. It involves an out-of-bounds memory access in the STUN packet parser. Specifically, when a STUN packet declares an attribute length shorter than the structure the parser expects, the parser reads and writes beyond the attribute's boundary in memory. This happens because the parser does not properly check if the payload is large enough before casting it to specific types.

This flaw can cause the FreeSWITCH process to crash when processing a crafted STUN packet, affecting all concurrent sessions. The vulnerability can be triggered remotely by sending a single UDP datagram to the media port of an active ICE-enabled call leg, without needing prior session information or authentication.

Useful 0 Not Useful 0

Impact Analysis

The primary impact of this vulnerability is on the availability of the FreeSWITCH service. An attacker can cause the FreeSWITCH process to crash by sending a specially crafted STUN packet, which terminates all ongoing calls and sessions handled by the server.

This denial of service can disrupt telephony communications, affecting any deployment that uses ICE-enabled media legs, such as WebRTC and SIP profiles with ICE offers. The attack requires only network access to the UDP media port and does not require privileges or user interaction.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal terminations of the FreeSWITCH process, especially during active ICE-enabled call sessions.

Since the vulnerability is triggered by a crafted STUN packet sent to the dynamically allocated UDP media port of an active ICE-enabled call leg, detection involves identifying unexpected or suspicious UDP traffic targeting RTP port ranges.

A practical approach is to perform a UDP scan on the configured RTP port range to discover open ports that could be targeted.

• Use network monitoring tools like tcpdump or Wireshark to capture and analyze UDP traffic on RTP ports.
• Example command to monitor UDP traffic on RTP ports (replace <RTP_PORT_RANGE> with your actual range):
• tcpdump -i <interface> udp portrange <RTP_PORT_RANGE>
• Look for unusual or malformed STUN packets that could indicate exploitation attempts.
• Monitor FreeSWITCH logs for error messages related to STUN packet parsing failures or unexpected process crashes.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade FreeSWITCH to version 1.11.0 or later, where the vulnerability has been patched.

If upgrading is not immediately possible, restrict the RTP port range to trusted peers only to limit exposure to potentially malicious STUN packets.

Disabling ICE is generally not viable due to WebRTC requirements and default SIP peer negotiations, so this is not recommended as a mitigation.

There is no reliable in-process workaround; therefore, controlling network access to the UDP media ports and applying the patch are the best immediate steps.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability primarily impacts the availability of the FreeSWITCH service by causing crashes through out-of-bounds memory access. There is no direct impact on confidentiality or integrity of data.

Since the vulnerability does not lead to unauthorized data disclosure or modification, its effect on compliance with data protection regulations such as GDPR or HIPAA is indirect and limited to potential service disruption.

However, availability is a component of many compliance frameworks, so repeated or prolonged service outages caused by exploitation of this vulnerability could affect compliance related to service availability and operational continuity.

Useful 0 Not Useful 0