Executive Summary

CVE-2026-49847 is a high-severity vulnerability in FreeSWITCH versions 1.11.0 and earlier caused by a stack overflow in the bundled cJSON parser.

The vulnerability occurs when the parser processes a deeply nested JSON document using recursive descent, which increases the call stack depth with each nested object or array.

An unauthenticated attacker can send a single malicious WebSocket frame containing such a deeply nested JSON to the mod_verto WebSocket frame handler, which parses JSON before authentication.

This causes the worker thread's stack to overflow, triggering a SIGSEGV crash that terminates the FreeSWITCH process and all active calls and sessions on the host.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service by crashing the FreeSWITCH process.

When exploited, it terminates all active calls and sessions on the affected host, disrupting telecom services.

The attack requires only network access to the WebSocket listener and no authentication, making it easy for attackers to exploit.

TLS encryption does not prevent the attack since the JSON parsing happens after transport termination.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring network traffic for unauthenticated WebSocket frames sent to the mod_verto WebSocket listener, typically on ports 8081 (plaintext) or 8082 (TLS). Since the attack involves sending a deeply nested JSON document that triggers a stack overflow, detection involves identifying unusually large or deeply nested JSON payloads in WebSocket frames before authentication.

Commands to detect this might include network traffic inspection tools such as tcpdump or Wireshark to capture WebSocket traffic on the relevant ports, for example:

• tcpdump -i <interface> port 8081 or port 8082 -w capture.pcap
• Use Wireshark to analyze the captured traffic for WebSocket frames containing deeply nested JSON payloads.

Additionally, monitoring FreeSWITCH logs for unexpected crashes or SIGSEGV signals can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading FreeSWITCH to version 1.11.1, which contains a patch preventing the stack overflow by capping the cJSON nesting limit.

If upgrading immediately is not possible, other mitigations include:

• Restricting access to the mod_verto WebSocket listener to trusted networks only.
• Disabling the mod_verto module entirely to prevent unauthenticated WebSocket access.
• Applying a patch to limit the cJSON parser's nesting depth to 64 to prevent excessive recursion.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability causes a denial of service by crashing the FreeSWITCH process and terminating all calls and sessions on the host. This disruption of service could impact the availability requirement of common standards and regulations such as GDPR and HIPAA, which mandate ensuring the availability and reliability of systems processing personal or sensitive data.

However, the vulnerability does not directly lead to confidentiality or integrity breaches, as it does not allow data leakage or unauthorized data modification.

Organizations using affected versions of FreeSWITCH should consider this risk to service availability when assessing compliance and apply the patch or mitigations promptly to maintain compliance with availability requirements.

Useful 0 Not Useful 0