EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in FreeSWITCH, a popular open-source telecom stack, affecting versions prior to the latest release. The vulnerabilities are of the heap buffer overflow type, which can lead to remote code execution (RCE) and crashes. These vulnerabilities pose a significant business risk, as they can be exploited pre-authentication, allowing attackers to gain control of exposed voice servers, potentially disrupting critical communication services and compromising sensitive data.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in FreeSWITCH, a popular open-source telecom stack, affecting versions prior to the latest release. The vulnerabilities are of the heap buffer overflow type, which can lead to remote code execution (RCE) and crashes. These vulnerabilities pose a significant business risk, as they can be exploited pre-authentication, allowing attackers to gain control of exposed voice servers, potentially disrupting critical communication services and compromising sensitive data.[emaillocker id="1283"]
CVE-2026-49841 with a CVSS score of 9.8 – This vulnerability is a heap buffer overflow bug in the mod_verto HTTP request handler, which can be exploited by an attacker sending a large HTTP POST body, allowing them to push attacker-controlled data onto the heap.
CVE-2026-49840 with a CVSS score of 9.1 – This vulnerability is a heap buffer overflow bug in the libesl library, which can be exploited by a malicious ESL peer sending a negative Content-Length, allowing them to underwrite memory and copy attacker data into a zero-byte allocation.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/freeswitch-heap-buffer-overflow-cve-2026-49841/