CVE-2021-41145

HIGH

FreeSWITCH <1.10.7 - DoS

Title source: llm

Description

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7.

References (2)

[Release Notes, Third Party Advisory] https://github.com/signalwire/freeswitch/releases/tag/v1.10.7

[Exploit, Third Party Advisory] https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m

Scores

CVSS v3 8.6

EPSS 0.0095

EPSS Percentile 76.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Classification

CWE

CWE-401 CWE-400

Status published

Affected Products (1)

freeswitch/freeswitch < 1.10.7

Timeline

Published Oct 25, 2021

Tracked Since Feb 18, 2026