PatchSiren cyber security CVE debrief
CVE-2026-49840 signalwire CVE debrief
CVE-2026-49840 is a critical vulnerability in FreeSWITCH Software Defined Telecom Stack. A malicious ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.
- Vendor
- signalwire
- Product
- freeswitch
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-10
Who should care
Users of FreeSWITCH Software Defined Telecom Stack prior to version 1.11.1 should apply the patch to prevent heap corruption and crashes.
Technical summary
The esl_recv_event() function in FreeSWITCH parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. This allows a malicious or man-in-the-middle ESL peer to send a frame with a negative Content-Length.
Defensive priority
High
Recommended defensive actions
- Upgrade to FreeSWITCH version 1.11.1 or later.
- See ${ref-4} for release notes.
- See ${ref-5} for third-party advisory.
Evidence notes
This CVE was published on ${cvePublishedAt} and modified on ${cveModifiedAt}.
Official resources
-
CVE-2026-49840 CVE record
CVE.org
-
CVE-2026-49840 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
CVE-2026-49840 was published on ${cvePublishedAt} and modified on ${cveModifiedAt}.