PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49841 signalwire CVE debrief

CVE-2026-49841 is a critical heap overflow vulnerability in FreeSWITCH, a Software Defined Telecom Stack. The vulnerability exists in the mod_verto HTTP request handler, where a fixed 2 MiB buffer is allocated for a POST application/x-www-form-urlencoded body, but the Content-Length is accepted up to just under 10 MiB. This allows for an attacker-controlled heap overflow of up to ~8 MiB before the HTTP basic-auth check runs. The issue has been patched in version 1.11.1.

Vendor
signalwire
Product
freeswitch
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-10
Advisory published
2026-06-09
Advisory updated
2026-06-10

Who should care

Users of FreeSWITCH versions prior to 1.11.1 should upgrade to 1.11.1 to mitigate this vulnerability.

Technical summary

The mod_verto HTTP request handler in FreeSWITCH allocates a fixed 2 MiB buffer for a POST application/x-www-form-urlencoded body but accepts Content-Length up to just under 10 MiB. The body-read loop is bounded by Content-Length rather than the buffer size, producing an attacker-controlled heap overflow of up to ~8 MiB -- before the HTTP basic-auth check runs.

Defensive priority

high

Recommended defensive actions

  • Upgrade to FreeSWITCH version 1.11.1 or later.
  • Refer to [ref-4](https://github.com/signalwire/freeswitch/releases/tag/v1.11.1) for release notes.
  • Refer to [ref-5](https://github.com/signalwire/freeswitch/security/advisories/GHSA-wfrq-qvg2-f88f) for additional information.

Evidence notes

The CVE-2026-49841 record and NVD detail can be found at [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-49841) and [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-49841), respectively.

Official resources

CVE-2026-49841 was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-49841) and modified on [cveModifiedAt](https://www.cve.org/CVERecord?id=CVE-2026-49841).