Kamailio SIP Server Crashes with Malformed User Authentication Requests

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.4

Kamailio SIP Server Crashes with Malformed User Authentication Requests

CVE-2026-39864

Summary

The Kamailio SIP server may crash if it receives a specially crafted authentication request. This could potentially disrupt service to users. Update to version 6.0.5 or 5.8.7 to fix this issue.

Original title

Original description

Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.0.5 and 5.8.7, an out-of-bounds read in the auth module of Kamailio (formerly OpenSER and SER) allows remote attackers to cause a denial of service (process crash) via a specially crafted SIP packet if a successful user authentication without a database backend is followed by additional user identity checks. This vulnerability is fixed in 6.0.5 and 5.8.7.

nvd CVSS3.1 4.4

Vulnerability type

CWE-125 Out-of-bounds Read

https://github.com/kamailio/kamailio/security/advisories/GHSA-6m86-m342-g48m

Published: 8 Apr 2026 · Updated: 10 Apr 2026 · First seen: 8 Apr 2026