Tags › CVE-2026-45084

OpenSIPS: Denial of service in presence.handle_publish() from unchecked Content-Type state

Published on May 21, 2026 in security advisory, CVE-2026-45084, opensips, denial of service

CVSS v4.0, Enable Security assessment
- Vector: link
Other references:
- CVE-2026-45084
- GHSA-h3ww-hchh-x2g9
- CWE-476: NULL Pointer Dereference
Fixed versions: OpenSIPS 3.6.6, OpenSIPS 4.0.0-rc1, and master at or after the May 2026 fix series
Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2026-01-opensips-presence-publish-content-type-dos/
Tested vulnerable version: OpenSIPS 3.5.9
Timeline:
- Enable Security reproduced the issue: 2026-04-24
- UDP/TCP retest: 2026-04-30
- OpenSIPS advisory: 2026-05-21
- Enable Security advisory: 2026-05-21

Description

OpenSIPS published GHSA-h3ww-hchh-x2g9 for a configuration-dependent crash in modules/presence/publish.c:handle_publish(). The vulnerable path calls get_content_type(msg) while sphere checking is enabled, but can reach that call without safe Content-Type parser state.

…

Tags › CVE-2026-45084

OpenSIPS: Denial of service in presence.handle_publish() from unchecked Content-Type state

Description

Subscribe