cbcvebase.

Pjsip Pjproject vulnerabilities

42 known vulnerabilities affecting pjsip/pjproject.

Total CVEs
42
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL19HIGH18MEDIUM5

Vulnerabilities

Page 1 of 3
CVE-2026-25994P2CRITICALCVSS 9.8PoC≤ 2.162026-02-11
CVE-2026-25994 [CRITICAL] CWE-120 CVE-2026-25994: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames.
nvdosv
CVE-2021-37706P2CRITICALCVSS 9.8≤ 2.11.12021-12-22
CVE-2021-37706 [CRITICAL] CWE-191 CVE-2021-37706: PJSIP is a free and open source multimedia communication library written in C language implementing PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting
nvd
CVE-2022-31031P2CRITICALCVSS 9.8≤ 2.12.12022-06-09
CVE-2022-31031 [CRITICAL] CWE-120 CVE-2022-31031: PJSIP is a free and open source multimedia communication library written in C language implementing PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including 2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications, either by: setting a STUN server in their ac
nvd
CVE-2022-21723P3CRITICALCVSS 9.1≤ 2.11.12022-01-27
CVE-2022-21723 [CRITICAL] CWE-125 CVE-2022-21723: PJSIP is a free and open source multimedia communication library written in C language implementing PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, parsing an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read access. This issue affects all PJSIP users
nvd
CVE-2022-24754P3CRITICALCVSS 9.8≤ 2.122022-03-11
CVE-2022-24754 [CRITICAL] CWE-120 CVE-2022-24754: PJSIP is a free and open source multimedia communication library written in C language. In versions PJSIP is a free and open source multimedia communication library written in C language. In versions prior to and including 2.12 PJSIP there is a stack-buffer overflow vulnerability which only impacts PJSIP users who accept hashed digest credentials (credentials with data_type `PJSIP_CRED_DATA_DIGEST`). This issue has been patched in the master bran
nvd
CVE-2026-40892P3CRITICALCVSS 9.8≤ 2.162026-04-21
CVE-2026-40892 [CRITICAL] CWE-121 CVE-2026-40892: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when using pre-computed digest credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential data using cred_info->data.slen as the length without an upper-bound check, whi
nvd
CVE-2022-21722P3CRITICALCVSS 9.1≤ 2.11.12022-01-27
CVE-2022-21722 [CRITICAL] CWE-125 CVE-2022-21722: PJSIP is a free and open source multimedia communication library written in C language implementing PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there are various cases where it is possible that certain incoming RTP/RTCP packets can potentially cause out-of-bound read access. This issue affects a
nvd
CVE-2026-32945P3CRITICALCVSS 9.8fixed in 2.172026-03-20
CVE-2026-32945 [CRITICAL] CWE-122 CVE-2026-32945: PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and bel PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. It
nvd
CVE-2022-23608P3CRITICALCVSS 9.8≤ 2.11.12022-02-22
CVE-2022-23608 [CRITICAL] CWE-416 CVE-2022-23608: PJSIP is a free and open source multimedia communication library written in C language implementing PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dia
nvd
CVE-2021-43845P3CRITICALCVSS 9.1≤ 2.11.12021-12-27
CVE-2021-43845 [CRITICAL] CWE-125 CVE-2021-43845: PJSIP is a free and open source multimedia communication library. In version 2.11.1 and prior, if in PJSIP is a free and open source multimedia communication library. In version 2.11.1 and prior, if incoming RTCP XR message contain block, the data field is not checked against the received packet size, potentially resulting in an out-of-bound read access. This affects all users that use PJMEDIA and RTCP XR. A malicious actor can send a RTCP XR mes
nvd
CVE-2022-39244P3CRITICALCVSS 9.8fixed in 2.132022-10-06
CVE-2022-39244 [CRITICAL] CWE-120 CVE-2022-39244: PJSIP is a free and open source multimedia communication library written in C. In versions of PJSIP PJSIP is a free and open source multimedia communication library written in C. In versions of PJSIP prior to 2.13 the PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affeced by a buffer overflow vulnerability. Users connecting to untrusted clients are at risk. This issue has been patched and is available as commit c4d3498 in the maste
nvd
CVE-2023-38703P3CRITICALCVSS 9.8≤ 2.13.12023-10-06
CVE-2023-38703 [CRITICAL] CWE-416 CVE-2023-38703: PJSIP is a free and open source multimedia communication library written in C with high level API in PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may i
nvd
CVE-2025-65102P3HIGHCVSS 8.7fixed in 2.162025-11-21
CVE-2025-65102 [HIGH] CWE-120 CVE-2025-65102: PJSIP is a free and open source multimedia communication library. Prior to version 2.16, Opus PLC ma PJSIP is a free and open source multimedia communication library. Prior to version 2.16, Opus PLC may zero-fill the input frame as long as the decoder ptime, while the input frame length, which is based on stream ptime, may be less than that. This issue affects PJSIP users who use the Opus audio codec in receiving direction. The vulnerability can lead
nvdosv
CVE-2022-24786P3CRITICALCVSS 9.8≤ 2.122022-04-06
CVE-2022-24786 [CRITICAL] CWE-125 CVE-2022-24786: PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 a PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. A patch is available in the `master` branch of the `pjsip/pjproject` Git
nvd
CVE-2022-39269P3CRITICALCVSS 9.1v>= 2.11, < 2.132022-10-06
CVE-2022-39269 [CRITICAL] CWE-319 CVE-2022-39269: PJSIP is a free and open source multimedia communication library written in C. When processing certa PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a
nvd
CVE-2026-34235P3CRITICALCVSS 9.1fixed in 2.172026-03-31
CVE-2026-34235 [CRITICAL] CWE-125 CVE-2026-34235: PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17 PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds checking on the payload descriptor length may cause reads beyond the allocated
nvd
CVE-2022-23537P3CRITICALCVSS 9.8≤ 2.132022-12-20
CVE-2022-23537 [CRITICAL] CWE-122 CVE-2022-23537: PJSIP is a free and open source multimedia communication library written in C language implementing PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when parsing a specially crafted STUN message with unknown attribute. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LI
nvd
CVE-2022-23547P3CRITICALCVSS 9.8≤ 2.132022-12-23
CVE-2022-23547 [CRITICAL] CWE-122 CVE-2022-23547: PJSIP is a free and open source multimedia communication library written in C language implementing PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability affects applications that uses STUN including PJNATH an
nvd
CVE-2026-40614P3HIGHCVSS 8.8≤ 2.162026-04-21
CVE-2026-40614 [HIGH] CWE-122 CVE-2026-40614: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel
nvd
CVE-2017-16872P3CRITICALCVSS 9.8≥ 0, < 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm12017-11-17
CVE-2017-16872 [CRITICAL] CVE-2017-16872: An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2 An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. Parsing the numeric header fields in a SIP message (like cseq, ttl, port, etc.) all had the potential to overflow, either causing unintended values to be captured or, if the values were subsequently converted back to strings, a buffer overrun. This will lead to a potential exploit usi
osv
Pjsip Pjproject vulnerabilities | cvebase