CVE-2017-16872
published 2017-11-17CVE-2017-16872: An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. Parsing the numeric header fields in a SIP message (like cseq, ttl…
PriorityP347critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.40%
87.3th percentile
An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. Parsing the numeric header fields in a SIP message (like cseq, ttl, port, etc.) all had the potential to overflow, either causing unintended values to be captured or, if the values were subsequently converted back to strings, a buffer overrun. This will lead to a potential exploit using carefully crafted invalid values.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| pjsip | pjproject | >= 0 < 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1 | 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1 |
| pjsip | pjproject | >= 0 < 2.7.2~dfsg-1ubuntu0.1~esm1 | 2.7.2~dfsg-1ubuntu0.1~esm1 |
| teluu | pjsip | < 2.7.1 | 2.7.1 |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
pjproject vulnerabilities
osv·2026-03-24·CVSS 9.8
CVE-2017-16872 [CRITICAL] pjproject vulnerabilities
pjproject vulnerabilities
Youngsung Kim discovered that PJSIP did not properly parse numeric header
fields in SIP messages. A remote attacker could use this issue to cause
PJSIP to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-16872)
Peter Koletzki discovered that PJSIP did not properly handle certain
connection requests. A remote attacker could possibly use this issue to
cause PJSIP to enter an unrecoverable state and reject further connections,
resulting in a denial of service. This issue only affected Ubuntu 16.04
LTS. (CVE-2017-16875)
Alfred Farrugia, Sandro Gauci, and Kevin Harwell discovered that PJSIP did
not properly parse certain SDP messages. A remote attacker could possibly
use this issue to c
GHSA
GHSA-7v77-w3mx-vv3x: An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2
ghsa_unreviewed·2022-05-13
CVE-2017-16872 [CRITICAL] CWE-119 GHSA-7v77-w3mx-vv3x: An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2
An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. Parsing the numeric header fields in a SIP message (like cseq, ttl, port, etc.) all had the potential to overflow, either causing unintended values to be captured or, if the values were subsequently converted back to strings, a buffer overrun. This will lead to a potential exploit using carefully crafted invalid values.
OSV
CVE-2017-16872: An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2
osv·2017-11-17·CVSS 9.8
CVE-2017-16872 [CRITICAL] CVE-2017-16872: An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2
An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. Parsing the numeric header fields in a SIP message (like cseq, ttl, port, etc.) all had the potential to overflow, either causing unintended values to be captured or, if the values were subsequently converted back to strings, a buffer overrun. This will lead to a potential exploit using carefully crafted invalid values.
Ubuntu
PJSIP vulnerabilities
vendor_ubuntu·2026-03-24·CVSS 9.8
CVE-2020-15260 [CRITICAL] PJSIP vulnerabilities
Title: PJSIP vulnerabilities
Summary: Several security issues were fixed in PJSIP.
Youngsung Kim discovered that PJSIP did not properly parse numeric header
fields in SIP messages. A remote attacker could use this issue to cause
PJSIP to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-16872)
Peter Koletzki discovered that PJSIP did not properly handle certain
connection requests. A remote attacker could possibly use this issue to
cause PJSIP to enter an unrecoverable state and reject further connections,
resulting in a denial of service. This issue only affected Ubuntu 16.04
LTS. (CVE-2017-16875)
Alfred Farrugia, Sandro Gauci, and Kevin Harwell discovered that PJSIP did
not properly parse certain SDP mess
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2017-11-17
Published