CVE-2026-49841

Vulnerability

Prior to version 1.11.1, the mod_verto HTTP request handler in FreeSWITCH allocates a fixed 2 MiB buffer for POST requests with application/x-www-form-urlencoded bodies. However, it accepts a Content-Length header of up to nearly 10 MiB. The loop that reads the body is bounded by Content-Length instead of the allocated buffer size, resulting in an attacker-controlled heap overflow of up to approximately 8 MiB. This vulnerability is reachable only when mod_verto profiles have at least one `` configured, which is not the default configuration [1].

Exploitation

An attacker requires network access to the mod_verto listener. The heap overflow occurs before the HTTP basic authentication check, meaning no credentials, WebSocket upgrade, JSON-RPC framing, or prior interaction are necessary. The vulnerability is present in both plaintext and TLS connections, as the overflow happens during HTTP body parsing after TLS termination. The attacker sends a POST request with a Content-Length header significantly larger than the 2 MiB buffer, causing the excess data to overwrite adjacent heap memory [1].

Impact

Successful exploitation can lead to heap corruption with fully attacker-controlled contents, making denial of service via heap corruption trivial. There is also a possibility of information disclosure if the overflow corrupts adjacent allocations whose contents are later reflected in the HTTP response or WebSocket frames. While Remote Code Execution (RCE) has not been demonstrated, it is considered plausible given the size of the overflow and the attacker's complete control over its contents [1].

Mitigation

This vulnerability has been fixed in FreeSWITCH version 1.11.1, released on 2023-01-25 [2]. To mitigate the issue before patching, administrators can restrict the mod_verto listener to trusted networks using a firewall or by specifying a bind address. Alternatively, removing all ` entries from the mod_verto profile will disable the HTTP request handler entirely, confining mod_verto to WebSocket/JSON-RPC and making the vulnerability unreachable. Disabling mod_verto` outright is also an option if it is not required [1].