Executive Summary
CVE-2026-10629 is a CVSS 9.1 Critical vulnerability in the Verizon IMS (IP Multimedia Subsystem) stack responsible for VoLTE (Voice over LTE) calls. The root cause is the absence of IPsec integrity protection on SIP signaling channels: neither Security-Client nor Security-Server headers are negotiated, and no ESP (Encapsulating Security Payload) traffic is enforced between endpoints and the P-CSCF (Proxy Call Session Control Function).
The consequence is that an on-path attacker — positioned between the UE (user equipment) and the carrier core — can compromise the confidentiality, integrity, and authenticity of VoLTE signaling, opening the door to call interception, session manipulation, and SIP message forgery.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-10629 |
| CVSS Score | 9.1 (Critical) |
| Type | Missing IPsec integrity protection (SIP/IMS) |
| Attack Vector | On-path network attacker |
| Authentication | Not required |
| Impact | Confidentiality, Integrity, Authenticity of VoLTE signaling |
| Published | June 2, 2026 |
| Source | NVD |
Technical Background: VoLTE and IMS Security
How VoLTE SIP Signaling Should Work
In a correctly implemented VoLTE architecture, 3GPP standards (TS 33.203) mandate that SIP signaling between the UE and P-CSCF is protected by IPsec ESP in transport mode. The security association negotiation proceeds via:
- REGISTER request — UE sends
Security-Clientheader listing supported IPsec algorithms and SPI values - 401 Unauthorized — P-CSCF responds with
Security-Serverheader listing its capabilities - SA establishment — Both sides establish IPsec SAs before the second REGISTER
- Protected signaling — All subsequent SIP traffic (INVITE, BYE, etc.) is encrypted and integrity-protected via ESP
What CVE-2026-10629 Exposes
Verizon's IMS implementation skips the IPsec negotiation entirely:
Security-Clientheaders are absent from REGISTER requestsSecurity-Serverheaders are not returned in 401 responses- No IPsec security associations are established
- SIP signaling traverses the network in plaintext (or with only TLS to the SBC, not end-to-end IPsec)
This means any attacker who can reach the radio access network (RAN) segment or intercept traffic between the UE and the P-CSCF can read and modify SIP messages.
Attack Scenarios
1. Call Interception
Without IPsec protecting SIP signaling, an on-path attacker can:
- Read
INVITEmessages to determine call destinations - Intercept
200 OKwith SDP to obtain RTP stream addresses and ports - Forward or redirect media streams through attacker-controlled infrastructure
2. Session Hijacking / Caller ID Spoofing
SIP From and P-Asserted-Identity headers are unsigned without IPsec. An attacker can:
- Inject forged REGISTER messages to reroute incoming calls
- Spoof the
Fromheader to impersonate other users - Replay SIP responses to extend or terminate sessions
3. Signaling Manipulation
With full read/write access to SIP messages:
- Modify SDP body to redirect media to attacker's RTP endpoint
- Strip or alter codec negotiation parameters
- Inject BYE messages to silently terminate active calls
Who Is Affected
This vulnerability affects Verizon subscribers using VoLTE on devices where the IMS client complies with the carrier's IMS provisioning. Affected scenarios include:
- All voice calls placed over the LTE network (VoLTE)
- SMS over IMS (VoLTE-SMS)
- Wi-Fi Calling (VoWiFi) where the same IMS core is used
The attack requires an on-path position — realistic in the following contexts:
- Rogue or compromised femtocell/small cell
- LTE network segment access (carrier insider, SS7-adjacent positioning)
- Shared Wi-Fi network carrying VoWiFi traffic (if IMS security also lacks proper TLS)
- Baseband-level man-in-the-middle (advanced, nation-state tier)
CVSS Breakdown
| Metric | Value | Rationale |
|---|---|---|
| Attack Vector | Network | Exploitable from network position |
| Attack Complexity | High | Requires on-path positioning |
| Privileges Required | None | No authentication needed |
| User Interaction | None | Passive — user simply makes a call |
| Confidentiality Impact | High | Full SIP signaling readable |
| Integrity Impact | High | SIP messages can be modified |
| Availability Impact | Low | Session disruption possible |
| CVSS 3.1 Score | 9.1 | Critical |
Remediation
Verizon has not issued a public patch or mitigation advisory at time of publication. The following mitigations should be considered:
For Carriers
- Enforce IPsec on P-CSCF: Require
Security-Clientnegotiation in REGISTER; reject registrations that do not include IPsec SA parameters - Mandatory ESP in transport mode: Configure the P-CSCF to establish and verify IPsec SAs per 3GPP TS 33.203
- Network monitoring: Deploy anomaly detection on the Gi/SGi interface for SIP signaling anomalies
For End Users (Limited Options)
- Disable VoLTE where voice quality allows fallback to 3G circuit-switched calls (note: this reduces call quality and may not be available on all networks)
- Use end-to-end encrypted voice applications (Signal, WhatsApp, FaceTime over data) for sensitive communications — these protect content regardless of IMS security
- Avoid shared or public Wi-Fi for voice calls using carrier-provided VoWiFi
Key Takeaways
- CVSS 9.1 Critical — Missing IPsec protection on SIP signaling in Verizon's IMS VoLTE stack
- On-path attackers can compromise the confidentiality, integrity, and authenticity of VoLTE calls
- Root cause: Security-Client/Security-Server headers not implemented — no IPsec ESP enforced
- Sensitive calls at risk: Call routing, caller identity, and session metadata exposed
- Use E2E-encrypted voice apps (Signal, etc.) for communications that must remain confidential
References
- NVD — CVE-2026-10629
- 3GPP TS 33.203 — Access Security for IP-based Services
- 3GPP TS 24.229 — SIP and SDP for IP Multimedia Subsystem