SB2026030657 - Multiple vulnerabilities in pjsip
Published: March 6, 2026 Updated: April 17, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 secuirty vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2026-28799)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in the presence subscription termination handler. A remote attacker can execute arbitrary code on the target system.
2) Stack-based buffer overflow (CVE-ID: CVE-2026-29068)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when pjmedia-codec parses an RTP payload. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Use-after-free (CVE-ID: CVE-2026-32942)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in the ICE session when race conditions occur between session destruction and callbacks. A remote attacker can trigger concurrent session destruction and callback execution to execute arbitrary code.
Any application using the ICE feature is potentially affected.
4) Heap-based buffer overflow (CVE-ID: CVE-2026-32945)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to heap-based buffer overflow in the DNS parser's name length handler when parsing DNS records. A remote attacker can send a specially crafted DNS response to cause a denial of service.
Only applications using the PJSIP DNS resolver are affected, such as PJSUA or PJSUA2 when configured with a nameserver.
5) Out-of-bounds read (CVE-ID: CVE-2026-33069)
The vulnerability allows a remote attacker to disclose adjacent heap memory.
The vulnerability exists due to an out-of-bounds read in pjsip_multipart_parse() when parsing SIP multipart bodies. A remote attacker can send a specially crafted SIP message to disclose adjacent heap memory.
Applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected.
6) Stack-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to stack-based buffer overflow in pjsip_auth_create_digest2() when processing application-provided pre-computed digest credentials. A local user can supply oversized credential data to cause a denial of service.
Only applications that use the PJSIP_CRED_DATA_DIGEST credential type and pass attacker-influenced data through cred_info->data are vulnerable. This is not remotely exploitable through standard SIP protocol handling.
7) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause a denial of service or corrupt memory.
The vulnerability exists due to heap-based buffer overflow in the Opus codec decode path when decoding specially crafted incoming Opus audio frames. A remote attacker can send a specially crafted incoming audio packet to cause a denial of service or corrupt memory.
This affects applications that use the Opus audio codec in the receiving direction.
8) Stack-based buffer overflow (CVE-ID: CVE-2026-25994)
The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.
The vulnerability exists due to stack-based buffer overflow in PJNATH ICE Session when processing credentials with excessively long usernames. A remote attacker can send crafted credentials with an excessively long username to cause a denial of service or execute arbitrary code.
This issue affects applications that use ICE.
9) Use-after-free (CVE-ID: CVE-2026-26203)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in the H.264 packetizer when processing malformed H.264 bitstreams without NAL unit start codes during packetization of fragmented NAL units. A remote attacker can send a specially crafted H.264 bitstream to cause a denial of service.
The issue affects applications sending video using H.264 with a packetization mode other than single NAL.
10) Heap-based buffer overflow (CVE-ID: CVE-2026-26967)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to heap-based buffer overflow in the H.264 unpacketizer when processing malformed SRTP packets. A remote attacker can send a specially crafted SRTP packet to cause a denial of service.
This issue affects applications that receive video using H.264.
11) Out-of-bounds read (CVE-ID: CVE-2026-34235)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the VP9 RTP unpacketizer when parsing crafted VP9 scalability structure data. A remote attacker can send crafted VP9 RTP media to disclose sensitive information.
Only applications with video support enabled through PJMEDIA_HAS_VIDEO that receive VP9 RTP media are affected.
12) Out-of-bounds read (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in Content-ID URI parser when parsing a malformed Content-ID URI in a SIP multipart message body. A remote attacker can send a specially crafted SIP message with a multipart body to disclose sensitive information.
13) Integer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.
The vulnerability exists due to integer overflow in media stream buffer size calculation in pjmedia media stream when processing SDP offers or answers with audio codec configurations that use asymmetric ptime. A remote attacker can send a specially crafted SDP offer or answer to cause a denial of service or execute arbitrary code.
Successful exploitation may result in an undersized buffer allocation and memory corruption.
Remediation
Install update from vendor's website.
References
- https://github.com/pjsip/pjproject/security/advisories/GHSA-8fj4-fv9f-hjpc
- https://github.com/pjsip/pjproject/security/advisories/GHSA-pqww-jrxr-457f
- https://github.com/pjsip/pjproject/security/advisories/GHSA-g88q-c2hm-q7p7
- https://github.com/pjsip/pjproject/security/advisories/GHSA-jr2p-p2w4-rr9q
- https://github.com/pjsip/pjproject/security/advisories/GHSA-x5pq-qrp4-fmrj
- https://github.com/pjsip/pjproject/security/advisories/GHSA-2wcg-w3c4-48r7
- https://github.com/pjsip/pjproject/security/advisories/GHSA-j59p-4xrr-fp8g
- https://github.com/pjsip/pjproject/security/advisories/GHSA-j29p-pvh2-pvqp
- https://github.com/pjsip/pjproject/security/advisories/GHSA-p965-mf7j-gwv8
- https://github.com/pjsip/pjproject/security/advisories/GHSA-x2hc-6969-g8v6
- https://github.com/pjsip/pjproject/security/advisories/GHSA-pqrm-53pc-wx28
- https://github.com/pjsip/pjproject/security/advisories/GHSA-935m-fmf5-j4pm
- https://github.com/advisories/GHSA-935m-fmf5-j4pm
- https://github.com/pjsip/pjproject/security/advisories/GHSA-f33g-8hjq-62xr