--- title: OpenSIPS: Watcherinfo XML generation denial of service from oversized watcher URI date: 2026-05-21 url: /advisories/ES2026-02-opensips-watcherinfo-uri-stack-buffer-overflow.md --- - CVSS v4.0, Enable Security assessment - Vector: [link](https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) - Other references: - [CVE-2026-45809](https://www.cve.org/CVERecord?id=CVE-2026-45809) - [GHSA-gx83-2gh8-7v56](https://github.com/OpenSIPS/opensips/security/advisories/GHSA-gx83-2gh8-7v56) - CWE-121: Stack-based Buffer Overflow - Fixed versions: OpenSIPS 3.6.6, OpenSIPS 4.0.0-rc1, and master at or after `eeb331cd5` - Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2026-02-opensips-watcherinfo-uri-stack-buffer-overflow/ - Tested vulnerable version: OpenSIPS 3.5.9 - Timeline: - Enable Security reproduced the issue: 2026-04-29 - OpenSIPS advisory: 2026-05-21 - Enable Security advisory: 2026-05-21 ## Description OpenSIPS published `GHSA-gx83-2gh8-7v56` for a denial-of-service vulnerability in watcherinfo XML generation. The issue is caused by an oversized watcher URI being copied into a fixed-size stack buffer in `modules/presence/notify.c:create_winfo_xml()`. Enable Security reproduced the issue with a two-step SUBSCRIBE sequence on OpenSIPS 3.5.9. The vanilla build terminated with stack-smashing detection, and the ASan build reported a stack-buffer-overflow. ## Technical details The vulnerable function builds watcherinfo XML and copies watcher URI data into a fixed 200-byte stack buffer before passing it to XML generation. The code did not check whether the watcher URI length fit in that buffer before copying and adding the trailing NUL byte. The verified attack flow was: 1. Create a long watcher identity through an `Event: presence` SUBSCRIBE. 2. Trigger `presence.winfo` watcherinfo generation for the same presentity. 3. OpenSIPS enumerates the watcher list and copies the oversized watcher URI into the fixed stack buffer. ASan confirmed an attacker-controlled stack write overflow in `create_winfo_xml()`. ## Configuration requirements The verified crash path requires: - `presence` and `presence_xml` loaded - routing logic that exposes `handle_subscribe()` to attacker-controlled SUBSCRIBE traffic - ability to create or influence an oversized watcher URI - `presence.winfo` watcherinfo generation reachable for the same presentity Real deployments may require subscription authorization depending on policy. ## Impact A remote attacker can crash an affected OpenSIPS worker in deployments that expose the relevant presence and watcherinfo functionality. The verified impact is denial of service. Because the issue is a stack-buffer-overflow, memory-corruption impact beyond denial of service cannot be ruled out, but no code execution was demonstrated. ## Solutions and recommendations Upgrade to a fixed OpenSIPS version. OpenSIPS lists fixes in the May 2026 release series, including: - OpenSIPS 3.6.6: `c5970d3ee` - OpenSIPS 4.0.0-rc1: `dd86461b7` - master: `eeb331cd5` If immediate patching is not possible, restrict SUBSCRIBE access to trusted peers, disable `presence.winfo` if it is not required, and reject oversized watcher identities before calling `handle_subscribe()`. ## References - [OpenSIPS advisory GHSA-gx83-2gh8-7v56](https://github.com/OpenSIPS/opensips/security/advisories/GHSA-gx83-2gh8-7v56) - [CVE-2026-45809](https://www.cve.org/CVERecord?id=CVE-2026-45809) - [OpenSIPS master fix eeb331cd5](https://github.com/OpenSIPS/opensips/commit/eeb331cd5) ## About Enable Security [Enable Security](https://www.enablesecurity.com) provides quality penetration testing to help protect your real-time communications systems against attack. ## Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ## Disclosure policy This report is subject to Enable Security's vulnerability disclosure policy which can be found at .