Pjsip Pjproject vulnerabilities
42 known vulnerabilities affecting pjsip/pjproject.
Total CVEs
42
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL19HIGH18MEDIUM5
Vulnerabilities
Page 2 of 3
CVE-2026-41415P3CRITICALCVSS 9.1fixed in 2.172026-04-24
CVE-2026-41415 [CRITICAL] CWE-125 CVE-2026-41415: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier,
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an out-of-bounds read when parsing a malformed Content-ID URI in SIP multipart message body. Insufficient length validation can cause reads beyond the intended buffer bounds. This vulnerability is fixed in 2.17.
nvd
CVE-2021-43804P3HIGHCVSS 7.3≤ 2.11.12021-12-22
CVE-2021-43804 [HIGH] CWE-125 CVE-2021-43804: PJSIP is a free and open source multimedia communication library written in C language implementing
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming RTCP BYE message contains a reason's length, this declared length is not checked against the actual received packet size, potentially resulting in a
nvd
CVE-2026-32942P3HIGHCVSS 8.1fixed in 2.172026-03-20
CVE-2026-32942 [HIGH] CWE-416 CVE-2026-32942: PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and bel
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17.
nvd
CVE-2026-33069P3HIGHCVSS 7.5fixed in 2.172026-03-20
CVE-2026-33069 [HIGH] CWE-125 CVE-2026-33069: PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and bel
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read.
nvd
CVE-2022-24793P3HIGHCVSS 7.5≤ 2.132022-04-06
CVE-2022-24793 [HIGH] CWE-120 CVE-2022-24793: PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vul
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing th
nvd
CVE-2026-41416P3HIGHCVSS 7.5fixed in 2.172026-04-24
CVE-2026-41416 [HIGH] CWE-190 CVE-2026-41416: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier,
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an integer overflow in media stream buffer size calculation when processing SDP with asymmetric ptime configuration. The overflow may result in an undersized buffer allocation, which can lead to unexpected application termination or memory corru
nvd
CVE-2022-24764P3HIGHCVSS 7.5≤ 2.122022-03-22
CVE-2022-24764 [HIGH] CWE-120 CVE-2022-24764: PJSIP is a free and open source multimedia communication library written in C. Versions 2.12 and pri
PJSIP is a free and open source multimedia communication library written in C. Versions 2.12 and prior contain a stack buffer overflow vulnerability that affects PJSUA2 users or users that call the API `pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do not use PJSUA2 and do not directly call `pjmedia_sdp_print()` or `pjmedia_sdp_me
nvd
CVE-2022-24792P3HIGHCVSS 7.5≤ 2.122022-04-25
CVE-2022-24792 [HIGH] CWE-835 CVE-2022-24792: PJSIP is a free and open source multimedia communication library written in C. A denial-of-service v
PJSIP is a free and open source multimedia communication library written in C. A denial-of-service vulnerability affects applications on a 32-bit systems that use PJSIP versions 2.12 and prior to play/read invalid WAV files. The vulnerability occurs when reading WAV file data chunks with length greater than 31-bit integers. The vulnerability does not
nvd
CVE-2026-29068P3HIGHCVSS 7.5fixed in 2.172026-03-06
CVE-2026-29068 [HIGH] CWE-121 CVE-2026-29068: PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, there is a stack buffer overflow vulnerability when pjmedia-codec parses an RTP payload contain more frames than the caller-provided frames can hold. This issue has been patched in version 2.17.
nvd
CVE-2026-28799P3HIGHCVSS 7.5fixed in 2.172026-03-06
CVE-2026-28799 [HIGH] CWE-416 CVE-2026-28799: PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has been patched in version 2.17.
nvd
CVE-2022-24763P3HIGHCVSS 7.5≤ 2.122022-03-30
CVE-2022-24763 [HIGH] CWE-835 CVE-2022-24763: PJSIP is a free and open source multimedia communication library written in the C language. Versions
PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML parsing in their apps. Users are advised to update. There are no known workarounds.
nvd
CVE-2018-1000098P3HIGHCVSS 7.5≥ 0, < 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm12018-03-13
CVE-2018-1000098 [HIGH] CVE-2018-1000098: Teluu PJSIP version 2
Teluu PJSIP version 2.7.1 and earlier contains a Integer Overflow vulnerability in pjmedia SDP parsing that can result in Crash. This attack appear to be exploitable via Sending a specially crafted message. This vulnerability appears to have been fixed in 2.7.2.
osv
CVE-2017-9372P3HIGHCVSS 7.5≥ 0, < 2.1.0.0.ast20130823-1+deb8u1build0.14.04.1≥ 0, < 2.1.0.0.ast20130823-1+deb8u1build0.16.04.12017-06-02
CVE-2017-9372 [HIGH] CVE-2017-9372: PJSIP, as used in Asterisk Open Source 13
PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products, allows remote attackers to cause a denial of service (buffer overflow and application crash) via a SIP packet with a crafted CSeq header in conjunction with a Via header that lacks a branch parameter.
osv
CVE-2018-1000099P3HIGHCVSS 7.5≥ 0, < 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm12018-03-13
CVE-2018-1000099 [HIGH] CVE-2018-1000099: Teluu PJSIP version 2
Teluu PJSIP version 2.7.1 and earlier contains a Access of Null/Uninitialized Pointer vulnerability in pjmedia SDP parsing that can result in Crash. This attack appear to be exploitable via Sending a specially crafted message. This vulnerability appears to have been fixed in 2.7.2.
osv
CVE-2017-16875P3HIGHCVSS 7.5≥ 0, < 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm12017-11-17
CVE-2017-16875 [HIGH] CVE-2017-16875: An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2
An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. The ioqueue component may issue a double key unregistration after an attacker initiates a socket connection with specific settings and sequences. Such double key unregistration will trigger an integer overflow, which may cause ioqueue backends to reject future key registrations.
osv
CVE-2021-41141P3HIGHCVSS 7.5≤ 2.11.12022-01-04
CVE-2021-41141 [HIGH] CWE-667 CVE-2021-41141: PJSIP is a free and open source multimedia communication library written in the C language implement
PJSIP is a free and open source multimedia communication library written in the C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In various parts of PJSIP, when error/failure occurs, it is found that the function returns without releasing the currently held locks. This could result in a system deadlock, whic
nvdosv
CVE-2017-9359P3HIGHCVSS 7.5≥ 0, < 2.1.0.0.ast20130823-1+deb8u1build0.14.04.1≥ 0, < 2.1.0.0.ast20130823-1+deb8u1build0.16.04.12017-06-02
CVE-2017-9359 [HIGH] CVE-2017-9359: The multi-part body parser in PJSIP, as used in Asterisk Open Source 13
The multi-part body parser in PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products, allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet.
osv
CVE-2020-15260P3MEDIUMCVSS 6.8≤ 2.102021-03-10
CVE-2020-15260 [MEDIUM] CWE-297 CVE-2020-15260: PJSIP is a free and open source multimedia communication library written in C language implementing
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.10 and earlier, PJSIP transport can be reused if they have the same IP address + port + protocol. However, this is insufficient for secure transport since it lacks remote
nvd
CVE-2026-42225P4MEDIUMCVSS 5.9fixed in 2.172026-05-07
CVE-2026-42225 [MEDIUM] CWE-295 CVE-2026-42225: PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS transport (sip_transport_tls) can accept connections with invalid or untrusted certificates even when the application explicitly enables certificate verification via verify_server = PJ_TRUE or verify_client = PJ_TRUE. T
nvd
CVE-2026-26967P4MEDIUMCVSS 5.3fixed in f821c214e52b11bae11e4cd3c7f0864538fb54912026-02-20
CVE-2026-26967 [MEDIUM] CWE-122 CVE-2026-26967: PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and
PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below, there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. The bug occurs when processing malformed SRTP packets, where the unpacketizer reads a 2-byte NAL unit size field without validating that both bytes are w
nvd