CVE-2022-31003
Published: 31 May 2022
Summary
CVE-2022-31003 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Signalwire Sofia-Sip. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Sofia-SIP is an open-source SIP User-Agent library that FreeSWITCH and other telephony applications embed for SDP processing. Prior to version 1.13.8, its SDP parser performed an unchecked pointer calculation of the form `rest = record + 2` while walking each line of an incoming message; the write therefore occurred past the terminating NUL byte and produced an out-of-bounds write (CWE-122, CWE-787). The flaw is reachable over the network without authentication.
An unauthenticated remote attacker can supply a crafted SDP body inside a SIP message. Successful exploitation yields an immediate crash or, under favorable memory layout conditions, remote code execution, consistent with the CVSS 9.1 rating that reflects network attack vector, low complexity, and high impact on integrity and availability.
Upstream resolved the issue in commit 907f2ac and released Sofia-SIP 1.13.8. Distribution advisories (Debian DSA-5410, DLA-3094, Gentoo GLSA-202210-18) recommend upgrading the library or applying the vendor patch; no configuration work-arounds are documented.
EPSS scores rose from a low baseline to a recorded peak of 0.2014 (current value 0.1379), indicating measurable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52710
Vulnerability details
Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, when parsing each line of a sdp message, `rest = record + 2` will access the memory behind `\0` and cause an out-of-bounds write. An attacker…
more
can send a message with evil sdp to FreeSWITCH, causing a crash or more serious consequence, such as remote code execution. Version 1.13.8 contains a patch for this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.