CVE-2026-25994
published 2026-02-11CVE-2026-25994: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.93%
77.4th percentile
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pjsip | pjproject | <= 2.16 | — |
| pjsip | pjproject | >= 0 < 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1 | 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1 |
| pjsip | pjproject | >= 0 < 2.7.2~dfsg-1ubuntu0.1~esm1 | 2.7.2~dfsg-1ubuntu0.1~esm1 |
| pjsip | pjsip | <= 2.16 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SIP INVITE messages over UDP containing an a=ice-ufrag SDP attribute with a value of approximately 520 or more bytes, which is the trigger length for reliable heap buffer overflow exploitation. ↗
- →Alert on SIP INVITE packets where the SDP body contains an a=ice-ufrag field with a value >= 130 bytes; the stack is already overflowed at that threshold. ↗
- →Monitor for SIP INVITE messages on UDP port 5060 with an abnormally large Content-Length corresponding to an oversized SDP body containing both a=ice-ufrag and a=ice-pwd attributes. ↗
- →The exploit uses a Call-ID header matching the pattern 'crash-<digits>@example.com' and a branch tag matching 'z9hG4bK<digits>'; these patterns may appear in attack traffic. ↗
- →The exploit sends from source port 15060; monitor for SIP INVITE traffic originating from port 15060 with oversized ICE attributes. ↗
- ·The vulnerability is triggered via the SDP a=ice-ufrag attribute (rem_ufrag) which is processed in ice_session.c. The overflow occurs when rem_ufrag length >= ~130 bytes; the PoC uses 520 bytes for reliability. The patched version adds a bounds check: if (rem_ufrag->slen >= MAX_USERNAME_LEN || combined with local_ufrag > 512-1) return PJ_ETOOBIG. ↗
- ·Affected versions are PJSIP/PJPROJECT 2.16 and earlier. Detection and patching should target all deployments of pjsip <= 2.16 with ICE enabled. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PJSIP vulnerabilities
vendor_ubuntu·2026-03-24·CVSS 9.8
CVE-2020-15260 [CRITICAL] PJSIP vulnerabilities
Title: PJSIP vulnerabilities
Summary: Several security issues were fixed in PJSIP.
Youngsung Kim discovered that PJSIP did not properly parse numeric header
fields in SIP messages. A remote attacker could use this issue to cause
PJSIP to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-16872)
Peter Koletzki discovered that PJSIP did not properly handle certain
connection requests. A remote attacker could possibly use this issue to
cause PJSIP to enter an unrecoverable state and reject further connections,
resulting in a denial of service. This issue only affected Ubuntu 16.04
LTS. (CVE-2017-16875)
Alfred Farrugia, Sandro Gauci, and Kevin Harwell discovered that PJSIP did
not properly parse certain SDP mess
OSV
pjproject vulnerabilities
osv·2026-03-24·CVSS 9.8
CVE-2017-16872 [CRITICAL] pjproject vulnerabilities
pjproject vulnerabilities
Youngsung Kim discovered that PJSIP did not properly parse numeric header
fields in SIP messages. A remote attacker could use this issue to cause
PJSIP to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-16872)
Peter Koletzki discovered that PJSIP did not properly handle certain
connection requests. A remote attacker could possibly use this issue to
cause PJSIP to enter an unrecoverable state and reject further connections,
resulting in a denial of service. This issue only affected Ubuntu 16.04
LTS. (CVE-2017-16875)
Alfred Farrugia, Sandro Gauci, and Kevin Harwell discovered that PJSIP did
not properly parse certain SDP messages. A remote attacker could possibly
use this issue to c
OSV
CVE-2026-25994: PJSIP is a free and open source multimedia communication library written in C
osv·2026-02-11·CVSS 8.1
CVE-2026-25994 [HIGH] CVE-2026-25994: PJSIP is a free and open source multimedia communication library written in C
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames.
No detection rules found.
Wiz
CVE-2026-25994 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-25994 [HIGH] CVE-2026-25994 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25994 :
NixOS vulnerability analysis and mitigation
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames.
Source : NVD
## 8.1
Score
Published February 11, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
NixOS
Linux Ubuntu
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pjproject
pjsip
Sources
NVD
Nix Severity CRITICAL No Fix Added at: Feb 20, 2026
Ubuntu 16.04, 18.04 Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a
Bugzilla
CVE-2026-25994 pjproject: PJSIP: heap buffer overflow in ICE with long username [fedora-42]
bugzilla·2026-02-11·CVSS 8.1
CVE-2026-25994 [HIGH] CVE-2026-25994 pjproject: PJSIP: heap buffer overflow in ICE with long username [fedora-42]
CVE-2026-25994 pjproject: PJSIP: heap buffer overflow in ICE with long username [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, chang
2026-02-11
Published