CVE-2021-32686Race Condition in Pjproject

CWE-362Race Condition5 documents4 sources
Severity
5.9MEDIUMNVD
OSV9.8
EPSS
2.0%
top 16.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Pjsip PjprojectTeluu PjsipDebian Asterisk+2 more
Timeline
PublishedJul 23
Latest updateMar 24

Description

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TL

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

NVDteluu/pjsip< 2.11.1
CVEListV5pjsip/pjproject< 2.11.1
Ubuntupjsip/pjproject< 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1+1
debiandebian/ring< asterisk 1:16.16.1~dfsg-1+deb11u1 (bullseye)
debiandebian/asterisk< asterisk 1:16.16.1~dfsg-1+deb11u1 (bullseye)

Also affects: Debian Linux 11.0, 9.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
pjproject vulnerabilities2026-03-24
OSV
CVE-2021-32686: PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, ST2021-07-23

📋Vendor Advisories

2
Ubuntu
PJSIP vulnerabilities2026-03-24
Debian
CVE-2021-32686: asterisk - PJSIP is a free and open source multimedia communication library written in C la...2021
CVE-2021-32686 — Race Condition in Pjsip Pjproject | cvebase