--- title: OpenSIPS: Denial of service in IMC #list member listing date: 2026-05-21 url: /advisories/ES2026-04-opensips-imc-list-buffer-overflow.md --- - CVSS v4.0, Enable Security assessment - Vector: [link](https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) - Other references: - [GHSA-3qr5-cgpj-hxhx](https://github.com/OpenSIPS/opensips/security/advisories/GHSA-3qr5-cgpj-hxhx) - CWE-787: Out-of-bounds Write - CVE: not assigned in the OpenSIPS GitHub advisory as of 2026-06-02 - Fixed versions: OpenSIPS 3.6.6, OpenSIPS 4.0.0-rc1, and master at or after `76afe3420` - Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2026-04-opensips-imc-list-buffer-overflow/ - Tested vulnerable version: OpenSIPS 3.5.9 - Timeline: - Enable Security reproduced the issue: 2026-04-30 - Additional verification: 2026-05-15 - OpenSIPS advisory: 2026-05-21 - Enable Security advisory: 2026-05-21 ## Description OpenSIPS published `GHSA-3qr5-cgpj-hxhx` for an unchecked fixed-buffer copy in `modules/imc/imc_cmd.c:imc_handle_list()` while building an IMC room member list reply. Enable Security reproduced a vanilla `SIGSEGV` and an ASan global-buffer-overflow on OpenSIPS 3.5.9 when an IMC room had enough long member URIs. ## Technical details The vulnerable IMC `#list` command builds the room member list into a fixed `imc_body_buf[1024]` buffer. It appends each visible room member URI to the buffer but does not check the remaining space before copying. The network trigger is a SIP `MESSAGE` containing `#list` sent to an IMC room as a recognized room member. The main precondition is room state: the targeted room must contain enough non-invited, non-deleted members with sufficiently long URIs to exceed the fixed reply buffer. ## Configuration requirements The verified crash path requires: - `imc` loaded and reachable from a SIP route that sends attacker-controlled `MESSAGE` requests to `imc_manager()` - the sender recognized as a member of the targeted room - the room containing enough sufficiently long member URIs to exceed the 1024-byte reply buffer Real-world exposure depends on route policy and how IMC room membership is established or persisted. ## Impact A remote attacker can trigger an out-of-bounds write in OpenSIPS IMC member listing when the room/member preconditions are met. In our tested OpenSIPS 3.5.9 deployment, the vanilla build crashed with `SIGSEGV`, while ASan reported a global-buffer-overflow in `imc_handle_list()`. The verified impact is denial of service. Because the issue writes attacker-influenced member URI data beyond a global reply buffer, memory-corruption impact beyond denial of service cannot be ruled out, but no stronger primitive was demonstrated. ## Solutions and recommendations Upgrade to a fixed OpenSIPS version. OpenSIPS lists fixes in the May 2026 release series, including: - OpenSIPS 3.6.6: `2fae6df7b` - OpenSIPS 4.0.0-rc1: `1cef34147` - master: `76afe3420` Related IMC hardening commits were also published in the same release series. If immediate patching is not possible, disable or restrict IMC routes if the feature is not required, limit access to `MESSAGE` routes that call `imc_manager()`, and avoid exposing attacker-controllable large IMC room membership state. ## References - [OpenSIPS advisory GHSA-3qr5-cgpj-hxhx](https://github.com/OpenSIPS/opensips/security/advisories/GHSA-3qr5-cgpj-hxhx) - [OpenSIPS master fix 76afe3420](https://github.com/OpenSIPS/opensips/commit/76afe3420) ## About Enable Security [Enable Security](https://www.enablesecurity.com) provides quality penetration testing to help protect your real-time communications systems against attack. ## Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ## Disclosure policy This report is subject to Enable Security's vulnerability disclosure policy which can be found at .