PatchSiren cyber security CVE debrief
CVE-2026-49475 signalwire CVE debrief
CVE-2026-49475 is a HIGH severity vulnerability in FreeSWITCH, a Software Defined Telecom Stack. Prior to version 1.11.0, a specially crafted STUN packet can be used to cause an out-of-bounds memory access on the per-leg media buffer. This issue has been patched in version 1.11.0.
- Vendor
- signalwire
- Product
- freeswitch
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-10
Who should care
Users of FreeSWITCH prior to version 1.11.0 should update to the latest version to prevent exploitation of this vulnerability.
Technical summary
A STUN packet with a declared attribute length shorter than the structure the parser casts to can cause the parser to read and write past the end of the attribute, resulting in an out-of-bounds memory access.
Defensive priority
HIGH
Recommended defensive actions
- Update to FreeSWITCH version 1.11.0 or later.
Evidence notes
This vulnerability has been patched in version 1.11.0. For more information, see [ref-4](https://github.com/signalwire/freeswitch/releases/tag/v1.11.0) and [ref-5](https://github.com/signalwire/freeswitch/security/advisories/GHSA-9j6h-hc95-q926).
Official resources
-
CVE-2026-49475 CVE record
CVE.org
-
CVE-2026-49475 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
CVE-2026-49475 was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-49475) and modified on [cveModifiedAt](https://www.cve.org/CVERecord?id=CVE-2026-49475).