Pjsip vulnerabilities

CVE-2026-32945 [HIGH] CWE-122 CVE-2026-32945: PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and bel PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. It doe

CVE-2026-32942 [HIGH] CWE-416 CVE-2026-32942: PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and bel PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17.

CVE-2026-33069 [MEDIUM] CWE-125 CVE-2026-33069: PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and bel PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read

CVE-2026-28799 [HIGH] CWE-416 CVE-2026-28799: PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17 PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has been patched in version 2.17.

CVE-2026-29068 [HIGH] CWE-121 CVE-2026-29068: PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17 PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, there is a stack buffer overflow vulnerability when pjmedia-codec parses an RTP payload contain more frames than the caller-provided frames can hold. This issue has been patched in version 2.17.

CVE-2026-26967 [HIGH] CWE-122 CVE-2026-26967: PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below, there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. The bug occurs when processing malformed SRTP packets, where the unpacketizer reads a 2-byte NAL unit size field without validating that both bytes are wit

CVE-2026-26203 [MEDIUM] CWE-416 CVE-2026-26203: PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a crit PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located

CVE-2026-25994 [HIGH] CWE-120 CVE-2026-25994: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames.

CVE-2022-23547 [CRITICAL] CWE-122 CVE-2022-23547: PJSIP is a free and open source multimedia communication library written in C language implementing PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability affects applications that uses STUN including PJNATH an

CVE-2022-39244 [CRITICAL] CWE-120 CVE-2022-39244: PJSIP is a free and open source multimedia communication library written in C. In versions of PJSIP PJSIP is a free and open source multimedia communication library written in C. In versions of PJSIP prior to 2.13 the PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affeced by a buffer overflow vulnerability. Users connecting to untrusted clients are at risk. This issue has been patched and is available as commit c4d3498 in the maste

CVE-2022-39269 [CRITICAL] CWE-319 CVE-2022-39269: PJSIP is a free and open source multimedia communication library written in C. When processing certa PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a

CVE-2022-24786 [CRITICAL] CWE-125 CVE-2022-24786: PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 a PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. A patch is available in the `master` branch of the `pjsip/pjproject` Git

CVE-2022-24793 [HIGH] CWE-120 CVE-2022-24793: PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vul PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing th

CVE-2022-24763 [HIGH] CWE-835 CVE-2022-24763: PJSIP is a free and open source multimedia communication library written in the C language. Versions PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML parsing in their apps. Users are advised to update. There are no known workarounds.