CVE-2021-32686
published 2021-07-23CVE-2021-32686: PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN…
PriorityP429medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
2.08%
79.2th percentile
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service. These are fixed in version 2.11.1.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:16.16.1~dfsg-1+deb11u1 (bullseye) | asterisk 1:16.16.1~dfsg-1+deb11u1 (bullseye) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | ring | < asterisk 1:16.16.1~dfsg-1+deb11u1 (bullseye) | asterisk 1:16.16.1~dfsg-1+deb11u1 (bullseye) |
| pjsip | pjproject | < 2.11.1 | 2.11.1 |
| pjsip | pjproject | >= 0 < 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1 | 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1 |
| pjsip | pjproject | >= 0 < 2.7.2~dfsg-1ubuntu0.1~esm1 | 2.7.2~dfsg-1ubuntu0.1~esm1 |
| teluu | pjsip | < 2.11.1 | 2.11.1 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PJSIP vulnerabilities
vendor_ubuntu·2026-03-24·CVSS 9.8
CVE-2020-15260 [CRITICAL] PJSIP vulnerabilities
Title: PJSIP vulnerabilities
Summary: Several security issues were fixed in PJSIP.
Youngsung Kim discovered that PJSIP did not properly parse numeric header
fields in SIP messages. A remote attacker could use this issue to cause
PJSIP to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-16872)
Peter Koletzki discovered that PJSIP did not properly handle certain
connection requests. A remote attacker could possibly use this issue to
cause PJSIP to enter an unrecoverable state and reject further connections,
resulting in a denial of service. This issue only affected Ubuntu 16.04
LTS. (CVE-2017-16875)
Alfred Farrugia, Sandro Gauci, and Kevin Harwell discovered that PJSIP did
not properly parse certain SDP mess
Debian
CVE-2021-32686: asterisk - PJSIP is a free and open source multimedia communication library written in C la...
vendor_debian·2021·CVSS 5.9
CVE-2021-32686 [MEDIUM] CVE-2021-32686: asterisk - PJSIP is a free and open source multimedia communication library written in C la...
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service. These are fixed in version 2.11.1.
Scope: local
bullseye: resolved (fixed in 1:16.16.1~dfsg-1+deb11u1)
sid: resolved (fixed in 1:16.16.1~dfsg-2)
OSV
pjproject vulnerabilities
osv·2026-03-24·CVSS 9.8
CVE-2017-16872 [CRITICAL] pjproject vulnerabilities
pjproject vulnerabilities
Youngsung Kim discovered that PJSIP did not properly parse numeric header
fields in SIP messages. A remote attacker could use this issue to cause
PJSIP to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-16872)
Peter Koletzki discovered that PJSIP did not properly handle certain
connection requests. A remote attacker could possibly use this issue to
cause PJSIP to enter an unrecoverable state and reject further connections,
resulting in a denial of service. This issue only affected Ubuntu 16.04
LTS. (CVE-2017-16875)
Alfred Farrugia, Sandro Gauci, and Kevin Harwell discovered that PJSIP did
not properly parse certain SDP messages. A remote attacker could possibly
use this issue to c
OSV
CVE-2021-32686: PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, ST
osv·2021-07-23·CVSS 5.9
CVE-2021-32686 [MEDIUM] CVE-2021-32686: PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, ST
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service. These are fixed in version 2.11.1.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cdhttps://github.com/pjsip/pjproject/pull/2716https://github.com/pjsip/pjproject/releases/tag/2.11.1https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wrhttps://lists.debian.org/debian-lts-announce/2022/03/msg00035.htmlhttps://security.gentoo.org/glsa/202210-37https://www.debian.org/security/2021/dsa-4999https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cdhttps://github.com/pjsip/pjproject/pull/2716https://github.com/pjsip/pjproject/releases/tag/2.11.1https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wrhttps://lists.debian.org/debian-lts-announce/2022/03/msg00035.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00030.htmlhttps://security.gentoo.org/glsa/202210-37https://www.debian.org/security/2021/dsa-4999
2021-07-23
Published