VYPR
← All advisories
Medium severity5.3NVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

CVE-2026-49472

CVE-2026-49472

Description

FreeSWITCH versions prior to 1.11.0 contain a vulnerable function cloned from an outdated libexpat version, potentially leading to memory corruption or other security issues.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FreeSWITCH versions prior to 1.11.0 contain a vulnerable function cloned from an outdated libexpat version, potentially leading to memory corruption or other security issues.

Vulnerability

FreeSWITCH versions prior to 1.11.0 contain a vulnerable function, PREFIX(prologTok)(), located in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c. This function was cloned from an outdated and vulnerable version of libexpat and did not receive the corresponding security patch. This issue has been addressed in version 1.11.0 [2].

Exploitation

An attacker could exploit this vulnerability by triggering the PREFIX(prologTok)() function. The exact conditions or input required to reach this code path are not detailed in the available references, but it is implied that the function's usage within FreeSWITCH is the key to exploitation [2].

Impact

Successful exploitation of this vulnerability could lead to unintended behavior, memory corruption, or other unspecified security issues within FreeSWITCH, depending on how the affected function is utilized [2]. The scope and privilege level of the compromise are not explicitly stated.

Mitigation

This vulnerability has been patched in FreeSWITCH version 1.11.0, released on or before June 9, 2026 [1]. Users are strongly encouraged to upgrade to the latest version of FreeSWITCH to address this security risk [1, 2].

References
  1. Release FreeSWITCH v1.11.0 Release · signalwire/freeswitch
  2. FreeSWITCH includes a vulnerable function, PREFIX(prologTok)() from libexpat

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

2
09026b496f80

[xmlrpc-c] Expat/xmltok: Add missing validation of encoding

https://github.com/signalwire/freeswitchAndrey VolkFeb 25, 2025Fixed in 1.11.0via llm-release-walk
commit
1 file changed · +6 2
  • libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c+6 2 modified
    @@ -32,7 +32,7 @@ See the file copying.txt for copying permission.
    case BT_LEAD ## n: \
      if (end - ptr < n) \
        return XML_TOK_PARTIAL_CHAR; \
-     if (!IS_NAME_CHAR(enc, ptr, n)) { \
+     if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \
        *nextTokPtr = ptr; \
        return XML_TOK_INVALID; \
      } \
@@ -60,7 +60,7 @@ See the file copying.txt for copying permission.
    case BT_LEAD ## n: \
      if (end - ptr < n) \
        return XML_TOK_PARTIAL_CHAR; \
-     if (!IS_NMSTRT_CHAR(enc, ptr, n)) { \
+     if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \
        *nextTokPtr = ptr; \
        return XML_TOK_INVALID; \
      } \
@@ -1157,6 +1157,10 @@ int PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
   case BT_LEAD ## n: \
     if (end - ptr < n) \
       return XML_TOK_PARTIAL_CHAR; \
+    if (IS_INVALID_CHAR(enc, ptr, n)) { \
+      *nextTokPtr = ptr; \
+      return XML_TOK_INVALID; \
+    } \
     if (IS_NMSTRT_CHAR(enc, ptr, n)) { \
       ptr += n; \
       tok = XML_TOK_NAME; \
67e587d7cf9f
https://github.com/signalwire/freeswitchFixed in 1.11.0via llm-release-walk
commit

Vulnerability mechanics

Root cause

"The PREFIX(prologTok)() function in FreeSWITCH was cloned from an outdated and vulnerable version of libexpat without applying the corresponding security patch."

Attack vector

An attacker with low privileges can trigger this vulnerability by providing specially crafted XML input to the FreeSWITCH application. The vulnerable function PREFIX(prologTok)() does not properly validate encoding, potentially leading to unintended behavior or memory corruption. This could be exploited through various means depending on how the XML parsing is exposed by the FreeSWITCH service.

Affected code

The vulnerability resides in the `PREFIX(prologTok)()` function located in `libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c`. This function was a direct clone from an older, vulnerable version of libexpat and did not incorporate the necessary security updates.

What the fix does

The patch introduces a check for invalid characters using `IS_INVALID_CHAR(enc, ptr, n)` within the `PREFIX(prologTok)()` function. This addition ensures that invalid encoding sequences are detected and rejected, preventing the function from proceeding with potentially malformed data. This addresses the vulnerability by adding the missing validation that was present in the upstream libexpat fix [patch_id=5390370].

Preconditions

  • authThe attacker has low privileges (PR:L).

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.