CVE-2026-49842— FreeSWITCH: Pre-authentication bandwidth amplification via `mod_verto` speed-test frames
Possible ATT&CK Techniques 2AI
T1499.002 · Service Exhaustion Flood T1498.002 · Reflection AmplificationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| signalwire | freeswitch | < 1.11.1 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-49842
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FreeSWITCH: Pre-authentication bandwidth amplification via `mod_verto` speed-test frames
Source: NVD (National Vulnerability Database)
Vulnerability Description
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's WebSocket frame loop intercepts a #-prefixed speed-test protocol (#SPU / #SPB / #SPE) before any authentication check. The declared payload size in #SPU was parsed with atoi() and only rejected non-positive values, so an unauthenticated peer could request up to INT_MAX bytes. The server then wrote roughly size * 10 bytes back during the download phase, on the order of 20 GB per request, yielding strong outbound bandwidth amplification from a short request. This issue has been patched in version 1.11.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Vulnerability Title
FreeSWITCH 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
FreeSWITCH是美国Anthony Minessale个人开发者的研发的一套免费、开源的通信软件。该软件可用于创建音、视频以及短消息类产品和应用。 FreeSWITCH 1.11.1之前版本存在资源管理错误漏洞,该漏洞源于mod_verto的WebSocket帧循环在任何身份验证检查之前拦截以#为前缀的速度测试协议,使用atoi解析#SPU中声明的有效载荷大小,仅拒绝非正值,因此未经身份验证的对等端可以请求最多INT_MAX字节,服务器在下载阶段回写大约size乘以10字节的数据,每个请求约20 G
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| signalwire | freeswitch | < 1.11.1 | - |
II. Public POCs for CVE-2026-49842
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 7803 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-49842
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-49842 (1)
Vendor Advisories for CVE-2026-49842 (1)
Same Patch Batch · signalwire · 2026-06-09 · 9 CVEs total
| CVE-2026-49841 | 9.8 CRITICAL | FreeSWITCH: Pre-authentication heap buffer overflow in `mod_verto` HTTP POST body read |
| CVE-2026-49840 | 9.1 CRITICAL | FreeSWITCH: Pre-authentication heap buffer overflow in libesl `Content-Length` parsing |
| CVE-2026-45771 | 7.5 HIGH | Freeswitch Denial-of-Service in SIP PUBLISH Requests via XML Entity Expansion |
| CVE-2026-49847 | 7.5 HIGH | FreeSWITCH: Stack overflow in bundled cJSON parser via deeply nested JSON |
| CVE-2026-49475 | 7.5 HIGH | FreeSWITCH: Out-of-bounds memory access in core STUN attribute parsing |
| CVE-2026-49843 | 5.3 MEDIUM | FreeSWITCH: Pre-authentication session eviction via attacker-chosen `sessid` in `mod_verto |
| CVE-2026-49472 | 5.3 MEDIUM | FreeSWITCH includes a vulnerable function, PREFIX(prologTok)() from libexpat |
| CVE-2026-49848 | 4.3 MEDIUM | FreeSWITCH: Pre-authentication `userVariables` injection in `mod_verto` |
IV. Related Vulnerabilities
Same product: freeswitch
- CVE-2026-49848
FreeSWITCH: Pre-authentication `userVariables` injection in - CVE-2026-49847
FreeSWITCH: Stack overflow in bundled cJSON parser via deepl - CVE-2026-49843
FreeSWITCH: Pre-authentication session eviction via attacker - CVE-2026-49841
FreeSWITCH: Pre-authentication heap buffer overflow in `mod_ - CVE-2026-49840
FreeSWITCH: Pre-authentication heap buffer overflow in libes
Same vendor: signalwire
- CVE-2026-49848
FreeSWITCH: Pre-authentication `userVariables` injection in - CVE-2026-49847
FreeSWITCH: Stack overflow in bundled cJSON parser via deepl - CVE-2026-49843
FreeSWITCH: Pre-authentication session eviction via attacker - CVE-2026-49841
FreeSWITCH: Pre-authentication heap buffer overflow in `mod_ - CVE-2026-49840
FreeSWITCH: Pre-authentication heap buffer overflow in libes
Same weakness: CWE-400
- CVE-2026-9375
Decompression Bomb Bypass via Negative max_length in Streami - CVE-2026-49293
CPU exhaustion via O(n^2) BigInt construction on radix-prefi - CVE-2026-48937
Node.js 22/24 HTTP/2服务器GoAway帧后持续接收数据漏洞 - CVE-2025-53114
CometD has acknowledgement extension out of memory - CVE-2025-32437
AutoGPT has a DoS vulnerability in MediaDurationBlock
V. Comments for CVE-2026-49842
No comments yet