Our news
Conference
season: DVRTC talks at OpenSIPS Summit, Kamailio World and CommCon
But what is DVRTC? Damn Vulnerable Real-Time Communications is our
intentionally vulnerable VoIP/WebRTC lab for security training. I’ll be
presenting DVRTC
at both OpenSIPS Summit 2026
(April 28 - May 1, Bucharest) and Kamailio World 2026 (May
7-8, Berlin). The OpenSIPS talk on April 28 covers extending DVRTC with
the new pbx2 scenario (OpenSIPS, FreeSWITCH, and rtpproxy), while the
Kamailio World talk on May 8 focuses on the original pbx1 stack
(Kamailio, Asterisk, rtpengine).
I’ll also be at CommCon 2026 (June
9-11) presenting “Attacking WebRTC Conferencing: A New Scenario for Damn
Vulnerable Real-Time Communications”. This talk introduces a new DVRTC
scenario focused specifically on WebRTC conferencing security. The
schedule isn’t public yet, but the conference runs for three days in
June. CommCon has been a great venue for RTC security content in the
past, so looking forward to being back, this time in Düsseldorf!
Three conferences, three different DVRTC angles: the
OpenSIPS/FreeSWITCH extension, the Kamailio/Asterisk/rtpengine lab, and
now WebRTC conferencing attacks. If you’re at any of these events, come
say hi.
On
our blog: DVRTC v0.2.0, SIPVicious tutorial and an expanded take on AI
and RTC security
We’ve been busy on the Enable Security blog
this month with three posts that tie together nicely.
First, we released DVRTC
v0.2.0, adding a second scenario (pbx2) to the lab. This one deploys
OpenSIPS as an edge proxy with FreeSWITCH as the backend and rtpproxy
for media relay. The new exercises include a SIP-driven SQL injection
through FreeSWITCH Lua scripts and exposed call recordings. If you’ve
already played with the pbx1 scenario (Kamailio + Asterisk + rtpengine),
pbx2 gives you a different stack to attack with different vulnerability
patterns. A live instance is up at pbx2.dvrtc.net.
Second, we published a SIPVicious
tutorial that walks through using SIPVicious OSS against the DVRTC
lab. It covers SIP enumeration, credential brute-forcing, and other
attack scenarios step by step. If you’re new to VoIP security testing or
want a structured way to practice with real tools against a safe target,
this is a good starting point.
Third, we expanded our take
on AI-assisted vulnerability research and what it means for RTC
C/C++ projects. We covered
this topic in March following Thomas Ptacek’s “Vulnerability
Research Is Cooked” piece. The expanded blog post goes deeper into the
implications for specific RTC codebases like Kamailio, Asterisk, pjsip,
rtpengine, coturn, and FreeSWITCH, and what maintainers and security
teams should be doing about it.
What’s happening?
Kamailio
fixes two DoS vulnerabilities (CVE-2026-39863, CVE-2026-39864)
Two out-of-bounds vulnerabilities in Kamailio were fixed this month,
both foreshadowed by the pre-disclosure
notice we covered in March.
CVE-2026-39863
(CVSS 7.5) is the nasty one. It’s an out-of-bounds access in the
Kamailio core’s TCP data processing. A remote unauthenticated attacker
can crash the server by sending a single crafted TCP packet. Since this
hits the core rather than a module, it affects any Kamailio instance
with TCP or TLS listeners enabled, which is most production deployments
these days. Fixed in 6.1.1, 6.0.6, and 5.8.8. Reported by Younghyo
Cho.
CVE-2026-39864
(medium) is narrower in scope. It’s an out-of-bounds read in the auth
module, triggered when additional user identity checks run after a
successful RFC2617 authentication against a non-database backend. This
only affects deployments with that specific auth configuration, so the
impact is more limited. Fixed in 6.0.5 and 5.8.7. Reported by
SignalWire.
If your Kamailio’s reliability is important to you, make sure to
apply these fixes.
wolfSSL
5.9.1 fixes 22 CVEs including DTLS 1.3 heap overflow and certificate
forgery
wolfSSL
5.9.1 fixes 22 CVEs. A few are directly relevant to VoIP and
WebRTC.
If you use wolfSSL for DTLS 1.3 on the media path (custom WebRTC
stacks, embedded endpoints, media gateways with
--enable-dtls13), the top priority is CVE-2026-5264,
a remote heap buffer overflow in DTLS 1.3 ACK processing. For the
signaling side, there’s a certificate forgery vulnerability (CVE-2026-5194,
CVSS 9.3) where wolfSSL accepts undersized digests during signature
verification across ECDSA, DSA, Ed25519, and Ed448. An attacker can
forge a certificate and have it pass. This matters for SIP/TLS, WSS,
TURN/TLS, and any service-to-service TLS where trust relies on
certificate chain validation. For browser-style WebRTC it seems less of
an issue since DTLS-SRTP authentication uses SDP fingerprints, not
CA-path validation. Both OpenSIPS and Kamailio ship
tls_wolfssl modules, so if you use those for SIP/TLS or
WSS, check your wolfSSL version. We covered
an OpenSIPS wolfSSL verification fix back in October 2023.
The release credits disclosures from Anthropic, KENTECH, Calif.io, and eWalker Consulting.
The certificate forgery was found by Nicholas Carlini at Anthropic, and
Calif.io (founded by Thai Duong of BEAST/CRIME/POODLE fame) explicitly
credits Claude in 8 of the 22 CVEs. We covered
this AI-assisted vulnerability research trend in March. wolfSSL
claims over 5 billion device deployments. Many embedded VoIP phones and
SIP endpoints using wolfSSL might never see this update, so if you’re
involved, do something!
OpenSIPS
hardens the httpd MI interface with safe defaults and Basic Auth
OpenSIPS merged a hardening
patch for the httpd module’s MI/HTTP interface on April
7, 2026. The default ip modparam now binds to
127.0.0.1 instead of the wildcard (0.0.0.0 /
::), so fresh installs no longer expose the management
interface to the network. The patch also adds HTTP Basic Auth via three
new modparams (auth_realm, auth_username,
auth_password); when credentials are configured, requests
without valid Basic Auth get a 401. The change closes issue
#2939, originally filed in October 2022, where the reporter flagged
that leaving httpd.so unconfigured exposes a JSON-RPC MI
endpoint on port 8888 to anyone who can reach the host. Three and a half
years is a long time to sit on a “forget one param, get an
unauthenticated MI” issue, but better late than never.
PJSIP: more
advisories and pjproject 2.17 release
The pjproject advisory count keeps growing. We covered
six advisories in March (CVE-2026-29068, CVE-2026-32942,
CVE-2026-28799, CVE-2026-32945, CVE-2026-33069, CVE-2026-34235), all on
the master branch at the time. Those have now been assigned GHSAs and
are part of the pjproject
2.17 release. On top of those, several new vulnerabilities were
disclosed this month.
The new ones worth highlighting: a stack buffer overflow in digest
authentication (CVE-2026-40892)
where pjsip_auth_create_digest2() copies pre-computed
credentials into a 128-byte buffer without length validation. Two H.264
video issues: a heap overflow in the unpacketizer when processing
malformed SRTP packets (CVE-2026-26967)
and a heap underflow in the packetizer from malformed bitstreams (CVE-2026-26203).
A second Opus codec overflow in FEC decode buffers (CVE-2026-40614),
separate from the one disclosed in March. And a GnuTLS
certificate verification bypass in SIP TLS transport that accepts
invalid/expired/self-signed certificates despite explicit verification
settings, enabling MITM attacks on SIPS connections. This last one only
affects GnuTLS builds (OpenSSL and SecureTransport are fine).
That brings the total to 13 advisories across March and April. If you
run Asterisk or anything else that bundles pjproject, check whether your
version includes the 2.17 fixes. Asterisk shipped
some of the March fixes in 21.12.2 and certified-22.8-cert2, but the
April batch may not be covered yet.
coturn 4.10.0 security fixes
coturn
4.10.0 is out with several security fixes.
The formal advisory covers CVE-2026-40613,
a misaligned memory access bug in the STUN attribute parser. coturn
walks STUN attributes using pointer arithmetic in
ns_turn_msg.c, and a malformed attribute layout can cause
the “next attribute” pointer to become oddly aligned. The code then
casts that pointer to a uint16_t * and dereferences it,
which is undefined behavior in C. The advisory describes this as a
pre-auth remote DoS on ARM64/AArch64, though in our testing we could
only trigger it under UBSan, not on stock Apple Silicon or Linux ARM64
environments. The crash depends on strict alignment faulting, which is
not the default on most mainstream ARM64 systems. Reported by Radoslaw
Matusiak.
The release also addresses other security issues reported by jming912
that don’t have formal CVEs yet. One is a pre-auth stack
buffer overflow in OAuth token decoding:
decode_oauth_token_gcm() reads a nonce length from an
untrusted token and uses it directly in a memcpy() into a
256-byte stack buffer, no bounds check. The other is a uint16_t
integer overflow in message framing for TCP/TLS connections, where
stun_get_message_len_str() truncates the total message
length calculation, which can leave attacker-controlled bytes in the
buffer to be processed as a new message.
This is coturn’s third advisory in 2026, following the IPv4-mapped
IPv6 ACL bypass in February and the weak
RNG issue in January. Worth upgrading.
Linux
kernel netfilter VoIP connection tracking vulnerabilities
Three CVEs landed in the Linux kernel’s netfilter VoIP connection
tracking helpers this month, covering both SIP and H.323.
The most notable is CVE-2026-23457,
a Content-Length integer truncation in nf_conntrack_sip’s
TCP path. On 64-bit kernels, an oversized Content-Length wraps around,
the parser computes the wrong message boundary, and trailing bytes get
fed into the SDP parser as a second SIP message. An attacker could use
this to manipulate NAT pinholes or media expectations on a gateway
running the SIP helper. Only affects SIP over TCP. The other two are
lower impact: CVE-2026-31427
is an uninitialized variable in SDP processing that on most distro
kernels just rewrites inactive sessions to 0.0.0.0, and CVE-2026-23456
is a small OOB read in the H.323 helper.
If you run VoIP infrastructure on Linux, you probably already know
the advice: don’t enable nf_conntrack_sip or any SIP ALG.
It mangles SIP, corrupts SDP, and keeps producing kernel bugs. Handle
NAT traversal at the application layer (rtpengine, RTPproxy, SBCs,
ICE/STUN/TURN). Where you still see it active is mostly consumer/SMB
routers and network devices with SIP ALG on by default, and small PBX
setups run by generalists. The H.323 helper is even more of a relic. We
haven’t seen H.323 in the wild in a very long time.
VoIP
security: why encryption alone isn’t enough for voice and video
calls
Jose Montalvo wrote an overview
on the WebRTC.ventures blog covering why encrypting voice and video
content doesn’t solve VoIP security on its own. The post walks through
metadata leakage in peer-to-peer calls (IP address exposure during NAT
traversal), relay-based mitigations like WhatsApp’s “Protect IP address
in calls” feature, and common attack vectors like SIP scanning and
brute-force authentication. Good introductory read for anyone new to the
topic.
Mozilla
using AI to find Firefox vulnerabilities at scale
Firefox CTO Bobby Holley published “The
zero-days are numbered”, announcing that Mozilla has been using AI
models to proactively find security vulnerabilities in Firefox since
February. Firefox 148 fixed 22 bugs found via Claude Opus 4.6, and
Firefox 150 fixes 271 vulnerabilities found using Claude Mythos Preview.
Five of the Firefox 150 CVEs are in WebRTC components, including a
high-severity use-after-free (CVE-2026-6747).
We covered
three WebRTC signaling bugs credited to Claude in Firefox 149 last
month.
This fits the trend we’ve been tracking
since March: Carlini finding the wolfSSL certificate forgery,
Calif.io using Claude for 8 wolfSSL CVEs, and now Mozilla applying the
same approach at browser scale. Holley frames it as defense finally
having a chance to win, with AI finding bugs before attackers do. For
RTC projects sharing the same C/C++ attack surface, this is worth paying
attention to.
Short news
Chrome 147 fixes a high-severity use-after-free in WebRTC (CVE-2026-5860)
that allows remote code execution within the browser sandbox via a
crafted HTML page. The $11k bounty suggests Google considers this a real
risk. Fixed in Chrome 147.0.7727.55.
Grandstream enforced mandatory MFA for all GDMS (Grandstream Device
Management System) users as of April 7, 2026. GDMS is Grandstream’s
cloud platform for managing VoIP devices.
Neko, a self-hosted virtual browser that streams a remote desktop to
users over WebRTC, has a privilege escalation vulnerability (CVE-2026-39386)
affecting versions 3.0.0-3.0.10 and 3.1.0-3.1.1. Any authenticated user
can gain full admin control of the instance. Patched in v3.0.11 and
v3.1.2.
M. Cory Billington found a command injection in the FreePBX API
module (CVE-2026-40520,
CVSS 8.6) affecting v17.0.8 and earlier. Authenticated attackers with
valid bearer tokens can inject shell commands via GraphQL
moduleOperations mutations, which pass unsanitized input to
shell_exec(). Published by VulnCheck as CNA; no FreePBX
advisory or patch at time of writing.
Two chainable flaws in MiCollab’s Audio, Web, Video Conferencing
(AWV) component, reported by Almog Biton: an unauthenticated SQL
injection (CVSS 9.8) and an authenticated privilege escalation (CVSS
6.7). Affects MiCollab 10.2 and earlier, fixed in 10.2 SP1. MiCollab AWV
has had a rough couple of years with chainable exploitation.
ZLMediaKit, an open source streaming media framework handling
RTP/RTSP/RTMP/WebRTC, has a heap buffer overflow (CVE-2026-35203,
CVSS 7.5) in the VP9 RTP payload parser. The parser reads flag-dependent
fields without checking buffer length; a single-byte payload of
0xFF is said to be enough to trigger it.
