Skip to main content

Pjsip CVE-2022-23608

CRITICAL
Use After Free (CWE-416)
2022-02-22 security-advisories@github.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Feb 22, 2022 - 20:15 nvd
CRITICAL 9.8

DescriptionNVD

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue.

AnalysisAI

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Technical ContextAI

This vulnerability is classified as Use After Free (CWE-416), which allows attackers to access freed memory to execute arbitrary code or crash the application. PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue. Affected products include: Teluu Pjsip, Asterisk Certified Asterisk, Sangoma Asterisk, Debian Debian Linux.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Use smart pointers or garbage-collected languages. Set pointers to NULL after freeing. Enable memory sanitizers.

More in Pjsip

View all
CVE-2021-43845 CRITICAL POC
9.1 Dec 27

PJSIP is a free and open source multimedia communication library. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2021-21375 MEDIUM POC
6.5 Mar 10

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2017-16872 CRITICAL
9.8 Nov 17

An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. Rated critical severity (CVSS 9

CVE-2026-25994 CRITICAL POC
9.8 Feb 11

Buffer overflow in PJSIP multimedia library version 2.16 and earlier in PJNATH ICE implementation. Patch available. Affe

CVE-2026-32945 CRITICAL
9.8 Mar 20

Heap overflow in PJSIP 2.16 and earlier DNS parser allows unauthenticated remote attackers to achieve code execution wit

CVE-2023-38703 CRITICAL
9.8 Oct 06

PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, a

CVE-2022-23547 CRITICAL
9.8 Dec 23

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2022-23537 CRITICAL
9.8 Dec 20

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2022-39244 CRITICAL
9.8 Oct 06

PJSIP is a free and open source multimedia communication library written in C. Rated critical severity (CVSS 9.8), this

CVE-2022-31031 CRITICAL
9.8 Jun 09

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2022-24786 CRITICAL
9.8 Apr 06

PJSIP is a free and open source multimedia communication library written in C. Rated critical severity (CVSS 9.8), this

CVE-2022-24754 CRITICAL
9.8 Mar 11

PJSIP is a free and open source multimedia communication library written in C language. Rated critical severity (CVSS 9.

Share

CVE-2022-23608 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy