cbcvebase.
CVE-2026-25994
published 2026-02-11

CVE-2026-25994: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.93%
77.4th percentile
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames.

Affected

4 ranges
VendorProductVersion rangeFixed in
pjsippjproject<= 2.16
pjsippjproject>= 0 < 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm12.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1
pjsippjproject>= 0 < 2.7.2~dfsg-1ubuntu0.1~esm12.7.2~dfsg-1ubuntu0.1~esm1
pjsippjsip<= 2.16

Detection & IOCsextracted from sources · hover to see the quote

port5060
commandINVITE sip:localhost@{target_ip}:{target_port} SIP/2.0
othera=ice-ufrag: 'A' * 520
othera=ice-pwd: 'B' * 150
  • Detect SIP INVITE messages over UDP containing an a=ice-ufrag SDP attribute with a value of approximately 520 or more bytes, which is the trigger length for reliable heap buffer overflow exploitation.
  • Alert on SIP INVITE packets where the SDP body contains an a=ice-ufrag field with a value >= 130 bytes; the stack is already overflowed at that threshold.
  • Monitor for SIP INVITE messages on UDP port 5060 with an abnormally large Content-Length corresponding to an oversized SDP body containing both a=ice-ufrag and a=ice-pwd attributes.
  • The exploit uses a Call-ID header matching the pattern 'crash-<digits>@example.com' and a branch tag matching 'z9hG4bK<digits>'; these patterns may appear in attack traffic.
  • The exploit sends from source port 15060; monitor for SIP INVITE traffic originating from port 15060 with oversized ICE attributes.
  • ·The vulnerability is triggered via the SDP a=ice-ufrag attribute (rem_ufrag) which is processed in ice_session.c. The overflow occurs when rem_ufrag length >= ~130 bytes; the PoC uses 520 bytes for reliability. The patched version adds a bounds check: if (rem_ufrag->slen >= MAX_USERNAME_LEN || combined with local_ufrag > 512-1) return PJ_ETOOBIG.
  • ·Affected versions are PJSIP/PJPROJECT 2.16 and earlier. Detection and patching should target all deployments of pjsip <= 2.16 with ICE enabled.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.