CVE-2026-39863
Kamailio Core: TCP Data Processing Vulnerability
CVSS Score
7.5
EPSS Score
0.1%
EPSS Percentile
29th
Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.1.1, 6.0.6, and 5.8.8, an out-of-bounds access in the core of Kamailio (formerly OpenSER and SER) allows remote attackers to cause a denial of service (process crash) via a specially crafted data packet sent over TCP. The issue impacts Kamailio instances having TCP or TLS listeners. This vulnerability is fixed in 5.1.1, 6.0.6, and 5.8.8.
| CWE | CWE-119 |
| Vendor | kamailio |
| Product | kamailio |
| Published | Apr 8, 2026 |
| Last Updated | Apr 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for kamailio kamailio
Be the first to know when new high vulnerabilities affecting kamailio kamailio are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
kamailio / kamailio
< 5.8.8 >= 6.0.0, < 6.0.6 >= 6.1.0, < 6.1.1