FreeSWITCH Heap Buffer Overflow Bugs Expose Servers to Pre-Auth Attacks

FreeSWITCH, the popular open-source telecom stack, has just patched two critical security flaws. Both are pre-authentication heap buffer overflow bugs, and both fire before any login. Together, they put exposed voice servers at real risk of crashes and possible remote code execution.

Two critical flaws, one update

The first issue, CVE-2026-49841, carries a severe CVSS score of 9.8. It lives in the mod_verto HTTP request handler. The second, CVE-2026-49840, scores 9.1 and affects the libesl library.

Importantly, both flaws were fixed in the same release. Administrators can therefore close both holes with a single upgrade.

Inside the mod_verto overflow

The mod_verto bug is the more dangerous of the pair. The handler allocates a fixed 2 MiB buffer for an HTTP POST body. However, it accepts a Content-Length of nearly 10 MiB.

Because the read loop trusts Content-Length instead of the buffer size, an attacker can push roughly 8 MiB of data past the buffer. As a result, every extra byte lands on the heap with attacker-controlled contents.

Worse still, this happens before the basic-auth check runs. Consequently, no credentials are required. TLS does not help either, since the overflow sits in body parsing after the transport terminates.

The flaw is only reachable when a verto profile includes a configured vhost. Many operators add one to serve a web UI, which quietly pulls their servers into scope.

The libesl parsing bug

The second FreeSWITCH heap buffer overflow lives in libesl. Here, the esl_recv_event() function parses Content-Length with atol(). Then it passes that result straight to malloc() with no final check.

A malicious ESL peer can send a negative Content-Length. With a value of -1, the code underwrites memory and copies attacker data into a zero-byte allocation. Lower values instead trigger a NULL pointer dereference and crash the process.

This affects fs_cli, mod_esl, mod_hash, and any tool linked against libesl. Although ESL is meant for trusted networks, anyone on the same segment can abuse it.

How to protect your systems

Patch now. The maintainers shipped fixes in FreeSWITCH v1.11.1, so upgrading is the cleanest path forward.

If you cannot upgrade right away, several workarounds help. First, restrict the verto listener to trusted networks. Second, remove vhost entries from the verto profile to disable the HTTP handler. Third, switch off mod_verto entirely when it is not in use.

For the libesl issue, lock down which hosts your ESL clients connect to. Additionally, keep the control-plane network isolated from untrusted machines.

Neither bug has a public exploit yet. Still, both are pre-auth and trivial to trigger, so attackers may move quickly. Therefore, treat this update as urgent.