CVE-2026-49840
Undergoing Analysis Undergoing Analysis - In Progress
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: GitHub, Inc.

Description
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-49840
EUVD
EUVD-2026-35471
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
freeswitch freeswitch to 1.11.1 (exc)
freeswitch libesl to 1.11.1 (exc)
signalwire freeswitch to 1.11.1 (exc)
signalwire freeswitch 1.11.1
signalwire freeswitch From 1.11.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-195 The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49840 is a critical vulnerability in FreeSWITCH's libesl library where the function esl_recv_event() improperly parses the Content-Length header using atol() without validating the value.

If a malicious or man-in-the-middle ESL peer sends a negative Content-Length value, this leads to unsafe memory allocation with malloc(len + 1), causing heap corruption or crashes before any authentication occurs.

Specifically, a Content-Length of -1 causes a heap underwrite and overflow with attacker-controlled data, while values of -2 or lower cause a NULL pointer dereference and crash.

This affects FreeSWITCH versions 1.11.0 and earlier and impacts components linked against libesl, such as fs_cli, mod_esl, and mod_hash.

Impact Analysis

This vulnerability allows an attacker with network access to the FreeSWITCH control plane to cause heap corruption or crash any process linked against libesl before authentication.

The impact includes potential denial of service due to process crashes and integrity compromise through heap corruption.

Because exploitation requires no credentials or prior interaction, it poses a significant risk to system stability and reliability.

Detection Guidance

This vulnerability involves the parsing of a negative Content-Length value in the ESL protocol used by FreeSWITCH's libesl library. Detection would involve monitoring network traffic for suspicious ESL frames containing negative Content-Length headers.

Since ESL is a cleartext protocol, you can capture and inspect network packets on the control plane port used by FreeSWITCH ESL connections.

  • Use tcpdump or Wireshark to capture traffic on the ESL port (default 8021): tcpdump -i <interface> port 8021 -w esl_traffic.pcap
  • Use tshark or Wireshark to filter for Content-Length headers with negative values: tshark -r esl_traffic.pcap -Y 'esl.header contains "Content-Length: -"'
  • Alternatively, use grep on captured logs or traffic dumps to find lines with 'Content-Length: -' indicating negative values.

Additionally, monitoring FreeSWITCH logs for crashes or heap corruption symptoms before authentication may indicate exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade FreeSWITCH to version 1.11.1 or later, where this vulnerability has been patched.

The patch includes rejecting negative or excessively large Content-Length values, adding runtime checks for malloc failures, and proper cleanup on error paths.

Until the upgrade can be applied, restrict network access to the ESL control plane port to trusted hosts only to prevent unauthorized or malicious ESL peers from connecting.

Monitor your FreeSWITCH instances for unusual crashes or heap corruption symptoms that may indicate exploitation attempts.

Compliance Impact

The vulnerability in FreeSWITCH allows an unauthenticated attacker to cause heap corruption or crashes before authentication, potentially impacting system integrity and availability.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the critical nature of the vulnerability (CVSS 9.1) and its impact on system integrity and availability could pose risks to maintaining compliance with these regulations, which require protection of data integrity and system availability.

Organizations using affected versions of FreeSWITCH should promptly apply the patch (version 1.11.1) to mitigate risks that could lead to non-compliance due to potential service disruption or data integrity issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49840. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart