THE content discusses two critical security vulnerabilities in FreeSWITCH, an open-source telecom stack, identified as CVE-2026-49841 and CVE-2026-49840. Both are heap buffer overflow bugs that can lead to crashes and possible remote code execution without needing authentication. The first flaw has a CVSS score of 9.8 and affects the mod_verto HTTP request handler, allowing attackers to exploit the system by sending oversized data due to improper checking of Content-Length.
The second vulnerability, scoring 9.1, resides in the libesl library where insufficient validation of Content-Length can lead to memory issues. Patches are available in FreeSWITCH v1.11.1, and administrators are urged to upgrade immediately or implement restrictive workarounds to mitigate risks.