OpenSIPS: Denial of service in SDP bandwidth parsing via QoS SDP cloning

• CVSS v4.0, Enable Security assessment
  • Vector: link
• Other references:
  • CVE-2026-46334
  • GHSA-rh36-mhpv-cx2r
  • CWE-787: Out-of-bounds Write
• Fixed versions: OpenSIPS 3.6.6, OpenSIPS 4.0.0-rc1, and master at or after 38d0e6ea0
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2026-03-opensips-sdp-bandwidth-parsing-dos/
• Tested vulnerable version: OpenSIPS 3.5.9
• Timeline:
  • Enable Security reproduced the issue: 2026-04-29
  • OpenSIPS advisory: 2026-05-21
  • Enable Security advisory: 2026-05-21

Description

OpenSIPS published GHSA-rh36-mhpv-cx2r for malformed SDP bandwidth-line handling in parser/sdp/sdp_helpr_funcs.c:extract_bwidth(). A missing delimiter can corrupt parsed SDP metadata, which can later crash OpenSIPS when the state is cloned by dialog/QoS handling.

Enable Security reproduced the issue on OpenSIPS 3.5.9 with sipmsgops, dialog, and qos enabled. The vanilla build crashed, and ASan reported negative-size-param in SDP cloning.

Technical details

The vulnerable SDP helper searches for the : delimiter in a bandwidth line and then uses the returned pointer in pointer arithmetic before safely checking that the delimiter exists. A malformed SDP line such as b=AS64 can therefore corrupt parsed bandwidth string metadata instead of being rejected.

The verified crash path was:

1. An attacker sends an SDP-bearing SIP request with a malformed b= line.
2. Route or module logic forces SDP parsing. The lab used sipmsgops.codec_exists("PCMU").
3. Dialog and QoS handling clone or store the parsed SDP.
4. The corrupted metadata reaches clone_sdp_session_cell() and causes a crash.

Configuration requirements

The verified crash path requires:

• a SIP route that accepts attacker-controlled SDP bodies
• route or module logic that invokes parse_sdp(msg) on that body
• a consumer that clones or stores the parsed SDP, such as the tested dialog plus qos path

Production exposure depends on routing policy and whether unauthenticated INVITE or UPDATE traffic reaches SDP/QoS handling.

Impact

A remote attacker can crash an affected OpenSIPS worker in configurations that parse attacker-controlled SDP and enable QoS/dialog SDP tracking. The verified impact is denial of service. Because corrupted pointer/length metadata reaches memcpy() during shared-memory SDP cloning, impact beyond denial of service cannot be ruled out, but no stronger primitive was demonstrated.

Solutions and recommendations

Upgrade to a fixed OpenSIPS version. OpenSIPS lists fixes in the May 2026 release series, including:

• OpenSIPS 3.6.6: 8fe74b01f
• OpenSIPS 4.0.0-rc1: ac5309d5b
• master: 38d0e6ea0

If immediate patching is not possible, restrict unauthenticated access to routes that parse SDP and enable QoS/dialog tracking, and reject malformed SDP bandwidth lines before invoking SDP/QoS handling.

References

• OpenSIPS advisory GHSA-rh36-mhpv-cx2r
• CVE-2026-46334
• OpenSIPS master fix 38d0e6ea0

About Enable Security

Enable Security provides quality penetration testing to help protect your real-time communications systems against attack.

Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Disclosure policy

This report is subject to Enable Security’s vulnerability disclosure policy which can be found at https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy.