Cyber Posture

CVE-2026-39863

High

Published: 08 April 2026

Published
08 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0005 14.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39863 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Kamailio Kamailio. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the vulnerability by requiring timely remediation through patching to versions that fix the out-of-bounds access in Kamailio core.

SI-16 Memory Protection good match
prevent

Provides memory protection safeguards like address space randomization and non-executable memory to prevent exploitation of out-of-bounds access leading to process crash.

SI-10 Information Input Validation partial match
prevent

Requires validation of incoming TCP packets to reject specially crafted data that triggers out-of-bounds access in Kamailio.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The out-of-bounds access vulnerability in Kamailio enables remote unauthenticated attackers to send a crafted TCP packet causing process crash and denial of service, directly mapping to application or system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.1.1, 6.0.6, and 5.8.8, an out-of-bounds access in the core of Kamailio (formerly OpenSER and SER) allows remote attackers to cause a denial of service (process crash)…

more

via a specially crafted data packet sent over TCP. The issue impacts Kamailio instances having TCP or TLS listeners. This vulnerability is fixed in 5.1.1, 6.0.6, and 5.8.8.

Deeper analysisAI

Kamailio, an open-source SIP signaling server formerly known as OpenSER and SER, is affected by CVE-2026-39863, an out-of-bounds access vulnerability in its core. The issue impacts versions prior to 6.1.1, 6.0.6, and 5.8.8, particularly instances configured with TCP or TLS listeners.

Remote, unauthenticated attackers can exploit the vulnerability by sending a specially crafted data packet over TCP, resulting in a denial of service via process crash. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects its network accessibility, low attack complexity, lack of required privileges or user interaction, and high availability impact with no confidentiality or integrity effects.

The vulnerability is addressed in Kamailio versions 5.1.1, 6.0.6, and 5.8.8. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/kamailio/kamailio/security/advisories/GHSA-2wj4-f825-2h2f.

Details

CWE(s)
CWE-119

Affected Products

kamailio
kamailio
6.1.0 · ≤ 5.8.8 · 6.0.0 — 6.0.6

CVEs Like This One

CVE-2026-3394Shared CWE-119
CVE-2024-56438Shared CWE-119
CVE-2026-30883Shared CWE-119
CVE-2026-2522Shared CWE-119
CVE-2024-54551Shared CWE-119
CVE-2026-2521Shared CWE-119
CVE-2025-1215Shared CWE-119
CVE-2024-52923Shared CWE-119
CVE-2025-1898Shared CWE-119
CVE-2026-3663Shared CWE-119

References