Skip to main content

Tags Security Advisory

OpenSIPS: Denial of service in presence.handle_publish() from unchecked Content-Type state

Published on May 21, 2026 in , , ,

Description

OpenSIPS published GHSA-h3ww-hchh-x2g9 for a configuration-dependent crash in modules/presence/publish.c:handle_publish(). The vulnerable path calls get_content_type(msg) while sphere checking is enabled, but can reach that call without safe Content-Type parser state.

Read more about OpenSIPS: Denial of service in presence.handle_publish() from unchecked Content-Type state

OpenSIPS: Watcherinfo XML generation denial of service from oversized watcher URI

Published on May 21, 2026 in , , ,

Description

OpenSIPS published GHSA-gx83-2gh8-7v56 for a denial-of-service vulnerability in watcherinfo XML generation. The issue is caused by an oversized watcher URI being copied into a fixed-size stack buffer in modules/presence/notify.c:create_winfo_xml().

Read more about OpenSIPS: Watcherinfo XML generation denial of service from oversized watcher URI

OpenSIPS: Denial of service in SDP bandwidth parsing via QoS SDP cloning

Published on May 21, 2026 in , , ,

Description

OpenSIPS published GHSA-rh36-mhpv-cx2r for malformed SDP bandwidth-line handling in parser/sdp/sdp_helpr_funcs.c:extract_bwidth(). A missing delimiter can corrupt parsed SDP metadata, which can later crash OpenSIPS when the state is cloned by dialog/QoS handling.

Read more about OpenSIPS: Denial of service in SDP bandwidth parsing via QoS SDP cloning

OpenSIPS: Denial of service in IMC #list member listing

Published on May 21, 2026 in , ,

  • CVSS v4.0, Enable Security assessment
  • Other references:
  • CVE: not assigned in the OpenSIPS GitHub advisory as of 2026-06-02
  • Fixed versions: OpenSIPS 3.6.6, OpenSIPS 4.0.0-rc1, and master at or after 76afe3420
  • Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2026-04-opensips-imc-list-buffer-overflow/
  • Tested vulnerable version: OpenSIPS 3.5.9
  • Timeline:
    • Enable Security reproduced the issue: 2026-04-30
    • Additional verification: 2026-05-15
    • OpenSIPS advisory: 2026-05-21
    • Enable Security advisory: 2026-05-21

Description

OpenSIPS published GHSA-3qr5-cgpj-hxhx for an unchecked fixed-buffer copy in modules/imc/imc_cmd.c:imc_handle_list() while building an IMC room member list reply.

Read more about OpenSIPS: Denial of service in IMC #list member listing

OpenSIPS: Out-of-bounds read in IMC unknown-command reply building

Published on May 21, 2026 in ,

Description

OpenSIPS published GHSA-3gfr-36cv-g4fc for an IMC unknown-command reply length mismatch in modules/imc/imc_cmd.c:imc_handle_unknown(). The vulnerable code keeps the would-have-been snprintf() length after truncation and passes that oversized length to TM reply construction.

Read more about OpenSIPS: Out-of-bounds read in IMC unknown-command reply building

SIPGO: Response DoS vulnerability via nil pointer dereference

Published on Dec 17, 2025 in , , ,

Description

A nil pointer dereference vulnerability was discovered in the SIPGO library’s NewResponseFromRequest function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header.

Read more about SIPGO: Response DoS vulnerability via nil pointer dereference

rtpengine: RTP Inject and RTP Bleed vulnerabilities despite proper configuration

Published on Jul 31, 2025 in , , ,

Description

Media servers often support source address learning to dynamically adapt to network conditions and client behavior. This is especially useful in scenarios involving NAT where the source IP and port of incoming RTP packets may differ from what was initially signaled via SDP over SIP. However, this mechanism can be exploited for two types of attacks if malicious packets are accepted as legitimate:

Read more about rtpengine: RTP Inject and RTP Bleed vulnerabilities despite proper configuration

FreeSWITCH: denial of service via DTLS Hello packets during call initiation

Published on Dec 22, 2023 in , , ,

TL;DR

When handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

Read more about FreeSWITCH: denial of service via DTLS Hello packets during call initiation

rtpengine: denial of service via DTLS Hello packets during call initiation

Published on Dec 15, 2023 in , , ,

TL;DR

When handling DTLS-SRTP for media setup, RTPEngine is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS encrypted calls during the attack.

Read more about rtpengine: denial of service via DTLS Hello packets during call initiation

Asterisk: denial of service via DTLS Hello packets during call initiation

Published on Dec 15, 2023 in , , ,

TL;DR

When handling DTLS-SRTP for media setup, Asterisk is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

Read more about Asterisk: denial of service via DTLS Hello packets during call initiation

Subscribe

Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

Interested in our services? Let's collaborate.
Get in touch

We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from our communications at any time. By subscribing, you are agreeing to the Privacy Policy.