CVE-2026-49847
Description
FreeSWITCH 1.11.1 and earlier are vulnerable to a stack overflow via a deeply nested JSON payload sent over WebSocket, crashing the entire process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FreeSWITCH 1.11.1 and earlier are vulnerable to a stack overflow via a deeply nested JSON payload sent over WebSocket, crashing the entire process.
Vulnerability
FreeSWITCH versions prior to 1.11.1 contain a stack overflow vulnerability in the bundled cJSON parser. A deeply nested JSON document, when parsed by the mod_verto WebSocket frame handler before authentication, can exhaust the worker thread's stack, leading to a crash. This issue affects any FreeSWITCH deployment with a reachable mod_verto WebSocket listener [1].
Exploitation
An attacker can exploit this vulnerability by sending a single, unauthenticated WebSocket frame containing a deeply nested JSON document to the mod_verto listener. The vulnerability is triggered before any authentication or session checks occur, and TLS encryption does not prevent exploitation as parsing happens after transport termination. No user interaction is required [1].
Impact
Successful exploitation of this vulnerability causes the FreeSWITCH process to crash via a stack overflow and SIGSEGV. This terminates all active calls and sessions on the host, leading to a denial of service. The vulnerability does not appear to grant any write primitives or direct code execution capabilities, as the crash occurs before any usable write primitive develops [1].
Mitigation
This vulnerability has been fixed in FreeSWITCH version 1.11.1, released on 2026-06-09 [2]. Users are strongly encouraged to upgrade to this version. As a workaround, administrators can restrict network access to the mod_verto WebSocket listener or disable the mod_verto module entirely [1].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <1.11.1
Patches
102ac36bb1197Merge commit from fork
1 file changed · +5 −0
configure.ac+5 −0 modified@@ -308,6 +308,11 @@ SWITCH_AM_CXXFLAGS="-I${switch_srcdir}/src/include -I${switch_builddir}/src/incl SWITCH_AM_CPPFLAGS="-I${switch_srcdir}/src/include -I${switch_builddir}/src/include -I${switch_srcdir}/libs/libteletone/src" SWITCH_AM_LDFLAGS="-lm" +# Cap cJSON parser recursion depth. Default upstream limit (1000) can overflow +# small thread stacks; both vendored cJSON copies (src/ and libs/esl/) honor this. +APR_ADDTO(SWITCH_AM_CFLAGS, [-DCJSON_NESTING_LIMIT=64]) +APR_ADDTO(SWITCH_AM_CXXFLAGS, [-DCJSON_NESTING_LIMIT=64]) + #set SOLINK variable based on compiler and host if test "x${ax_cv_c_compiler_vendor}" = "xsun" ; then SOLINK="-Bdynamic -dy -G"
Vulnerability mechanics
Root cause
"Deeply nested JSON documents cause a stack overflow in the cJSON parser."
Attack vector
An unauthenticated attacker can send a single WebSocket frame containing a deeply nested JSON document to the FreeSWITCH server. This payload triggers a stack overflow vulnerability within the cJSON parsing logic. The recursion depth of the parser exceeds the worker thread's stack size, leading to a segmentation fault and process termination. This results in the disruption of all active calls and sessions.
Affected code
The vulnerability lies within the cJSON parsing functions, specifically the mutually recursive `parse_value`/`parse_array`/`parse_object` chain. The patch modifies `configure.ac` to add `-DCJSON_NESTING_LIMIT=64` to `SWITCH_AM_CFLAGS` and `SWITCH_AM_CXXFLAGS` [patch_id=5390378]. This change affects both vendored cJSON copies used by FreeSWITCH.
What the fix does
The patch lowers the `CJSON_NESTING_LIMIT` from the default upstream value of 1000 to 64 by modifying `SWITCH_AM_CFLAGS` and `SWITCH_AM_CXXFLAGS` [patch_id=5390378]. This limits the recursion depth of the `parse_value`, `parse_array`, and `parse_object` functions within cJSON. By capping the nesting level, the patch prevents the worker threads' stack pointers from reaching the stack guard page, thus avoiding the stack overflow and SIGSEGV signal.
Preconditions
- authThe attacker does not need any authentication.
- networkThe attacker must be able to send WebSocket frames to the FreeSWITCH server.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.