CVE-2026-10629

Vulnerability

The SIP signaling stack in Verizon's IMS network, in unspecified versions, implements SIP signaling without IPsec integrity protection. This is evidenced by the absence of Security-Client/Security-Server headers and ESP traffic, contrary to 3GPP TS 33.203 and GSMA IR.92 requirements [2].

Exploitation

An on-path attacker can exploit this vulnerability by passively monitoring and actively manipulating unsecured SIP messages over the radio and core network. This requires the attacker to be positioned between the user equipment and the IMS network to intercept and modify signaling traffic, such as registration, call setup, or messaging requests [2].

Impact

An attacker can compromise the confidentiality, integrity, and authenticity of VoLTE signaling. This manipulation could lead to denial of service, call redirection, or other unauthorized modifications to the signaling flow, affecting the integrity of voice and messaging services [2].

Mitigation

Verizon has stated that integrity support is "currently available at their request" and will be extended to all UEs "starting later this year." Apple's iOS 26.5 carrier bundle, released May 11, 2026, includes IMS IPsec-related configuration entries, suggesting device-side support may be enabled. However, network-level enforcement by Verizon has not yet been confirmed, and the vulnerability remains active for most users until this is observed [2].