Skip to main content

Pjsip CVE-2026-32942

| EUVDEUVD-2026-13520 HIGH
Use After Free (CWE-416)
2026-03-20 security-advisories@github.com
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 20, 2026 - 08:37 euvd
EUVD-2026-13520
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 04:16 nvd
HIGH 8.1

DescriptionGitHub Advisory

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17.

AnalysisAI

PJSIP versions 2.16 and earlier contain a heap use-after-free vulnerability in ICE session handling caused by race conditions between session destruction and callback execution, enabling memory corruption and potential code execution. This flaw affects all systems using vulnerable PJSIP versions for multimedia communication and currently has no available patch. With a CVSS score of 8.1, the vulnerability is remotely exploitable without authentication or user interaction.

Technical ContextAI

PJSIP is a widely-used open source multimedia communication library written in C that implements SIP, SDP, RTP, STUN, TURN, and ICE protocols for voice over IP and video conferencing applications. The vulnerability is classified as CWE-416 (Use After Free), occurring specifically in the Interactive Connectivity Establishment (ICE) session component. This memory safety flaw arises from improper synchronization where callback functions may attempt to access memory that has already been freed during session teardown, a classic race condition scenario in multithreaded C applications handling network protocol state machines. The affected component is pjproject (the project containing PJSIP) versions prior to 2.17.

RemediationAI

Upgrade PJSIP (pjproject) to version 2.17 or later, which contains the fix for this heap use-after-free vulnerability as documented in commit c9caceddabda7f18337b2a82d25d65f6224b450a available at https://github.com/pjsip/pjproject/commit/c9caceddabda7f18337b2a82d25d65f6224b450a. Organizations should review the official security advisory at https://github.com/pjsip/pjproject/security/advisories/GHSA-g88q-c2hm-q7p7 for complete upgrade guidance. If immediate patching is not feasible, implement network segmentation to limit exposure of PJSIP-based services to trusted networks only, deploy intrusion detection systems to monitor for abnormal ICE session behavior, and consider rate-limiting ICE connection establishment attempts to reduce the attack surface until the upgrade can be completed.

More in Pjsip

View all
CVE-2021-43845 CRITICAL POC
9.1 Dec 27

PJSIP is a free and open source multimedia communication library. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2021-21375 MEDIUM POC
6.5 Mar 10

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2017-16872 CRITICAL
9.8 Nov 17

An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. Rated critical severity (CVSS 9

CVE-2026-25994 CRITICAL POC
9.8 Feb 11

Buffer overflow in PJSIP multimedia library version 2.16 and earlier in PJNATH ICE implementation. Patch available. Affe

CVE-2026-32945 CRITICAL
9.8 Mar 20

Heap overflow in PJSIP 2.16 and earlier DNS parser allows unauthenticated remote attackers to achieve code execution wit

CVE-2023-38703 CRITICAL
9.8 Oct 06

PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, a

CVE-2022-23547 CRITICAL
9.8 Dec 23

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2022-23537 CRITICAL
9.8 Dec 20

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2022-39244 CRITICAL
9.8 Oct 06

PJSIP is a free and open source multimedia communication library written in C. Rated critical severity (CVSS 9.8), this

CVE-2022-31031 CRITICAL
9.8 Jun 09

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2022-24786 CRITICAL
9.8 Apr 06

PJSIP is a free and open source multimedia communication library written in C. Rated critical severity (CVSS 9.8), this

CVE-2022-24754 CRITICAL
9.8 Mar 11

PJSIP is a free and open source multimedia communication library written in C language. Rated critical severity (CVSS 9.

Vendor StatusVendor

Debian

pjproject
Release Status Fixed Version Urgency
(unstable) fixed (unfixed) -

Share

CVE-2026-32942 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy