CVE-2026-49847

Name: CVE-2026-49847 — Vulnerability Record
Brand: Quanteta Data Lab
SKU: CVE-2026-49847

HIGH

CVSS v3.1: 7.5

NetworkNo privilegesNo user interactionUncontrolled RecursionVendor advisory ref

Source data as of: 2026-06-10 05:05:15 UTC

At a glance

Severity: HIGH
CVSS: 7.5 v3.1 · NVD
EPSS: EPSS not provided by FIRST.org for this CVE
CISA KEV: No
Type: Uncontrolled Recursion · NVD CWE
Attack conditions (CVSS vector): NetworkNo privilegesNo user interaction · Source: NVD Vector
Published: 2026-06-09 · Modified: 2026-06-09
References: Jump to references (2)

CVSS / EPSS / KEV

CVSS v3.1 7.5 / 10 HIGH Source: NVD

EPSS — EPSS not provided by FIRST.org for this CVE Source: FIRST.org

CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes the FreeSWITCH process via stack overflow, terminating all calls and sessions on the host. The recursion drives the worker thread's stack pointer into the stack guard page, raising SIGSEGV from the kernel before any usable write primitive develops. This issue has been patched in version 1.11.1.

Record details

CVE ID: CVE-2026-49847
CVSS (v3.1): 7.5 (HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Exploitability subscore: 3.9
Impact subscore: 3.6
CISA KEV: No
Weakness (CWE): CWE-674
Affected configurations (CPE): 0
Published: 2026-06-09
Modified: 2026-06-09
Status: Undergoing Analysis

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.

← Back to all records

CVE-2026-49847

At a glance

CVSS / EPSS / KEV

Description

Record details

References

Related records

Same weakness type (CWE)

Published the same year