CVE-2026-0710 is a vulnerability identified in SIPp version 3.7.3, a popular open-source tool used for testing and simulating Session Initiation Protocol (SIP) communications. The flaw is a NULL pointer dereference triggered when a remote attacker sends specially crafted SIP messages during an active call session. This causes the application to crash, leading to denial of service (DoS). More critically, under specific conditions, the vulnerability may allow an attacker to execute unauthorized code, potentially compromising system integrity and availability. The CVSS 3.1 score of 8.4 reflects high severity, with an attack vector classified as local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is unchanged (S:U), but confidentiality, integrity, and availability impacts are all high (C:H/I:H/A:H). Although no exploits are currently known in the wild, the vulnerability poses a significant risk to environments using SIPp for SIP testing, especially in telephony and VoIP infrastructure. The lack of available patches at the time of reporting necessitates immediate attention to mitigation strategies.

The primary impact of CVE-2026-0710 is denial of service through application crashes, which can disrupt SIP testing and VoIP call simulation activities, potentially affecting service quality and availability. More severe is the possibility of unauthorized code execution, which could lead to full system compromise, data breaches, or further lateral movement within affected networks. Organizations relying on SIPp for network testing or call load simulation may experience operational interruptions and security breaches. Given the high confidentiality, integrity, and availability impacts, this vulnerability threatens the security posture of telecommunication providers, enterprises with VoIP infrastructure, and security researchers using SIPp. The local attack vector implies that attackers need network access to the SIPp instance, which may limit exposure but does not eliminate risk, especially in shared or poorly segmented environments.

To mitigate CVE-2026-0710, organizations should first verify if they are running SIPp version 3.7.3 and restrict access to SIPp instances to trusted and isolated network segments to prevent unauthorized local access. Employ network segmentation and strict firewall rules to limit exposure of SIPp services. Monitor SIP traffic for anomalous or malformed SIP messages that could indicate exploitation attempts. Until an official patch is released, consider disabling SIPp in production or critical environments or replacing it with alternative SIP testing tools without this vulnerability. Implement runtime protections such as application whitelisting and sandboxing to limit the impact of potential code execution. Regularly update and audit SIPp and related telephony infrastructure software to ensure timely application of security patches once available. Conduct thorough incident response planning for potential exploitation scenarios involving SIPp.