What is the CVSS score of CVE-2026-25994?

CVE-2026-25994 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Pjsip are affected by CVE-2026-25994?

A critical buffer overflow vulnerability in PJSIP versions 2.16 and earlier could allow attackers to execute arbitrary code on systems using this library, potentially compromising confidentiality,…. A patch is available.

Is there a public PoC exploit available for CVE-2026-25994?

Yes, a public proof-of-concept exploit is available for CVE-2026-25994. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-25994?

Within 24 hours: Identify all systems and applications running PJSIP 2.16 or earlier; assess network exposure and prioritize critical communication systems. Within 7 days: Deploy available patches to all affected systems in controlled batches, starting with production VoIP and conferencing infrastructure; validate patch installation and system functionality. Within 30 days: Complete patching of all remaining systems; conduct security audit of any systems that remained unpatched during the window to detect potential exploitation.

Pjsip CVE-2026-25994

CRITICAL

Classic Buffer Overflow (CWE-120)

2026-02-11 security-advisories@github.com

Buffer Overflow Pjsip

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

Patch released

Feb 19, 2026 - 19:23 nvd

Patch available

CVE Published

Feb 11, 2026 - 21:16 nvd

CRITICAL 9.8

DescriptionGitHub Advisory

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames.

AnalysisAI

Buffer overflow in PJSIP multimedia library version 2.16 and earlier in PJNATH ICE implementation. Patch available. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send ICE session request with excessively long username

Exploit

Buffer overflow in credential processing

Impact

Execute arbitrary code with application privileges

Access

Send ICE session request with excessively long username

Exploit

Buffer overflow in credential processing

Impact

Execute arbitrary code with application privileges

Vulnerability AssessmentAI

Exploitation	PJSIP version 2.16 or earlier with ICE (Interactive Connectivity Establishment) session processing enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Attacker sends crafted ICE negotiation packets during call setup, overflowing the PJNATH buffer for code execution.
Remediation	Update PJSIP. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems and applications running PJSIP 2.16 or earlier; assess network exposure and prioritize critical communication systems. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-25994 vulnerability details – vuln.today

Back

Pjsip CVE-2026-25994

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code