PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49842 signalwire CVE debrief

CVE-2026-49842 is a HIGH-severity vulnerability in FreeSWITCH mod_verto. Prior to version 1.11.1, the WebSocket frame loop intercepts a #-prefixed speed-test protocol (#SPU / #SPB / #SPE) before any authentication check. An unauthenticated peer could request up to INT_MAX bytes, causing the server to write roughly size * 10 bytes back during the download phase, resulting in strong outbound bandwidth amplification from a short request.

Vendor
signalwire
Product
freeswitch
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-10
Advisory published
2026-06-09
Advisory updated
2026-06-10

Who should care

Users of FreeSWITCH mod_verto prior to version 1.11.1 should apply the patch to prevent exploitation.

Technical summary

The vulnerability exists in the mod_verto WebSocket frame loop, which intercepts #-prefixed speed-test protocols before authentication. The declared payload size in #SPU was parsed with atoi() and only rejected non-positive values, allowing an unauthenticated peer to request up to INT_MAX bytes.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to FreeSWITCH version 1.11.1 or later.
  • Refer to [ref-4](https://github.com/signalwire/freeswitch/releases/tag/v1.11.1) for release notes.
  • Refer to [ref-5](https://github.com/signalwire/freeswitch/security/advisories/GHSA-p3gx-p2w7-wp35) for additional information.

Evidence notes

The CVE-2026-49842 record was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-49842). The vulnerability details were obtained from [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-49842).

Official resources

CVE-2026-49842 was published on 2026-06-09T17:17:48.017Z and modified on 2026-06-10T15:06:33.640Z.