CVE-2026-39863

Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.1.1, 6.0.6, and 5.8.8, an out-of-bounds access in the core of Kamailio (formerly OpenSER and SER) allows remote attackers to cause a denial of service (process crash) via a specially crafted data packet sent over TCP. The issue impacts Kamailio instances having TCP or TLS listeners. This vulnerability is fixed in 5.1.1, 6.0.6, and 5.8.8.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/kamailio/kamailio/security/advisories/GHSA-2wj4-f825-2h2f	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:kamailio:kamailio::::::::
	cpe:2.3:a:kamailio:kamailio::::::::
	cpe:2.3:a:kamailio:kamailio:6.1.0:::::::*

History

15 Apr 2026, 15:58

Type	Values Removed	Values Added
References	~~() https://github.com/kamailio/kamailio/security/advisories/GHSA-2wj4-f825-2h2f -~~	() https://github.com/kamailio/kamailio/security/advisories/GHSA-2wj4-f825-2h2f - Vendor Advisory
CPE		cpe:2.3:a:kamailio:kamailio:::::::: cpe:2.3:a:kamailio:kamailio:6.1.0:::::::*
First Time		Kamailio Kamailio kamailio

08 Apr 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-08 20:16

Updated : 2026-04-15 15:58

NVD link : CVE-2026-39863

Mitre link : CVE-2026-39863

CVE.ORG link : CVE-2026-39863

JSON object : View

Products Affected

kamailio

kamailio

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

7.5 /10