CVE-2026-26203Use After Free in Pjmedia-video

CWE-416Use After Free3 documents3 sources
Severity
5.1MEDIUMNVD
EPSS
0.0%
top 96.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pjsip Pjmedia-videoPjsip
Timeline
PublishedFeb 19

Description

PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the issue.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L

Affected Packages2 packages

NVDpjsip/pjsip< 2.17
CVEListV5pjsip/pjmedia-video< 2.17

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
OSV
CVE-2026-26203: PJSIP is a free and open source multimedia communication library2026-02-19

🕵️Threat Intelligence

1
Wiz
CVE-2026-26203 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-26203 — Use After Free in Pjsip Pjmedia-video | cvebase