- CVSS v4.0, Enable Security assessment
- Vector: link
- Other references:
- GHSA-3qr5-cgpj-hxhx
- CWE-787: Out-of-bounds Write
- CVE: not assigned in the OpenSIPS GitHub advisory as of 2026-06-02
- Fixed versions: OpenSIPS 3.6.6, OpenSIPS 4.0.0-rc1, and master at or after
76afe3420 - Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2026-04-opensips-imc-list-buffer-overflow/
- Tested vulnerable version: OpenSIPS 3.5.9
- Timeline:
- Enable Security reproduced the issue: 2026-04-30
- Additional verification: 2026-05-15
- OpenSIPS advisory: 2026-05-21
- Enable Security advisory: 2026-05-21
Description
OpenSIPS published GHSA-3qr5-cgpj-hxhx for an unchecked fixed-buffer copy in modules/imc/imc_cmd.c:imc_handle_list() while building an IMC room member list reply.
Enable Security reproduced a vanilla SIGSEGV and an ASan global-buffer-overflow on OpenSIPS 3.5.9 when an IMC room had enough long member URIs.
Technical details
The vulnerable IMC #list command builds the room member list into a fixed imc_body_buf[1024] buffer. It appends each visible room member URI to the buffer but does not check the remaining space before copying.
The network trigger is a SIP MESSAGE containing #list sent to an IMC room as a recognized room member. The main precondition is room state: the targeted room must contain enough non-invited, non-deleted members with sufficiently long URIs to exceed the fixed reply buffer.
Configuration requirements
The verified crash path requires:
imcloaded and reachable from a SIP route that sends attacker-controlledMESSAGErequests toimc_manager()- the sender recognized as a member of the targeted room
- the room containing enough sufficiently long member URIs to exceed the 1024-byte reply buffer
Real-world exposure depends on route policy and how IMC room membership is established or persisted.
Impact
A remote attacker can trigger an out-of-bounds write in OpenSIPS IMC member listing when the room/member preconditions are met. In our tested OpenSIPS 3.5.9 deployment, the vanilla build crashed with SIGSEGV, while ASan reported a global-buffer-overflow in imc_handle_list().
The verified impact is denial of service. Because the issue writes attacker-influenced member URI data beyond a global reply buffer, memory-corruption impact beyond denial of service cannot be ruled out, but no stronger primitive was demonstrated.
Solutions and recommendations
Upgrade to a fixed OpenSIPS version. OpenSIPS lists fixes in the May 2026 release series, including:
- OpenSIPS 3.6.6:
2fae6df7b - OpenSIPS 4.0.0-rc1:
1cef34147 - master:
76afe3420
Related IMC hardening commits were also published in the same release series.
If immediate patching is not possible, disable or restrict IMC routes if the feature is not required, limit access to MESSAGE routes that call imc_manager(), and avoid exposing attacker-controllable large IMC room membership state.
References
About Enable Security
Enable Security provides quality penetration testing to help protect your real-time communications systems against attack.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Disclosure policy
This report is subject to Enable Security’s vulnerability disclosure policy which can be found at https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy.