CVE-2025-12207: 
Linux Debian vulnerability analysis and mitigation

A vulnerability has been identified in Kamailio 5.5, affecting the function yyerror_at in the file src/core/cfg.y of the Grammar Rule Handler component. The vulnerability (CVE-2025-12207) leads to a null pointer dereference and requires local access to exploit. The vulnerability was initially disclosed on October 25, 2025, and its actual existence is currently disputed (NVD, VulDB).

The vulnerability is classified as CWE-476 (NULL Pointer Dereference), which occurs when the application dereferences a pointer that it expects to be valid but is NULL, typically causing a crash or exit. The vulnerability has received varying CVSS scores, with NVD assigning a base score of 5.5 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and VulDB rating it at 3.3 LOW (NVD, VulDB).

The vulnerability primarily affects system availability through potential crashes or exits caused by the null pointer dereference. However, the impact is limited as the attack requires local access and manipulation of configuration files (VulDB).

No specific mitigation strategies have been officially documented. The Kamailio project has indicated they will internally discuss the vulnerability, likely leading to its dispute. The vendor was contacted about the disclosure but did not provide an official response (OSS Security).

The Kamailio project team has expressed skepticism about the validity of the vulnerability. Olle E. Johansson, representing the Kamailio project, stated that the reported issues do not make sense and questioned the practicality of the attack scenario, given that access to configuration files already implies significant system access (OSS Security).