Skip to main content

Pjsip CVE-2026-32945

| EUVDEUVD-2026-13519 CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-03-20 security-advisories@github.com
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 20, 2026 - 08:37 euvd
EUVD-2026-13519
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 04:16 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who rely on the OS resolver (e.g., getaddrinfo()) by not configuring a nameserver, or those using an external resolver via pjsip_resolver_set_ext_resolver(). This issue is fixed in version 2.17. For users unable to upgrade, a workaround is to disable DNS resolution in the PJSIP config (by setting nameserver_count to zero) or to use an external resolver implementation instead.

AnalysisAI

Heap overflow in PJSIP 2.16 and earlier DNS parser allows unauthenticated remote attackers to achieve code execution with no user interaction required. The vulnerability affects only applications explicitly configured with a built-in nameserver; users relying on OS resolvers or external resolver implementations are unaffected. No patch is currently available, but mitigation is possible by disabling DNS resolution or switching to an external resolver.

Technical ContextAI

PJSIP is a widely-used free and open-source multimedia communication library written in C, commonly integrated into VoIP applications, SIP clients, and telephony systems. The vulnerability, classified as CWE-122 (Heap-based Buffer Overflow), occurs in the DNS parser component specifically when handling name length validation during DNS response processing. According to EUVD-2026-13519, affected versions include pjproject versions prior to 2.17. The flaw only impacts deployments that utilize PJSIP's internal DNS resolver implementation rather than delegating to the operating system's native resolver (getaddrinfo) or external resolver implementations via pjsip_resolver_set_ext_resolver(). The heap overflow occurs during parsing of DNS records, likely when processing malformed or specially crafted DNS response packets with incorrect length fields.

RemediationAI

Upgrade PJSIP (pjproject) to version 2.17 or later, which contains the fix committed at https://github.com/pjsip/pjproject/commit/5311aee398ae9d623829a6bad7b679a193c9e199. For environments where immediate patching is not feasible, implement one of two workarounds: disable DNS resolution in PJSIP configuration by setting nameserver_count to zero (forcing reliance on OS resolver), or configure an external resolver implementation using pjsip_resolver_set_ext_resolver() function. Review your PJSIP deployment to confirm whether custom nameservers are configured, as systems using default OS resolver settings (getaddrinfo) are not affected and do not require remediation. Consult the GitHub security advisory at https://github.com/pjsip/pjproject/security/advisories/GHSA-jr2p-p2w4-rr9q for complete vendor recommendations.

More in Pjsip

View all
CVE-2021-43845 CRITICAL POC
9.1 Dec 27

PJSIP is a free and open source multimedia communication library. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2021-21375 MEDIUM POC
6.5 Mar 10

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2017-16872 CRITICAL
9.8 Nov 17

An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. Rated critical severity (CVSS 9

CVE-2026-25994 CRITICAL POC
9.8 Feb 11

Buffer overflow in PJSIP multimedia library version 2.16 and earlier in PJNATH ICE implementation. Patch available. Affe

CVE-2023-38703 CRITICAL
9.8 Oct 06

PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, a

CVE-2022-23547 CRITICAL
9.8 Dec 23

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2022-23537 CRITICAL
9.8 Dec 20

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2022-39244 CRITICAL
9.8 Oct 06

PJSIP is a free and open source multimedia communication library written in C. Rated critical severity (CVSS 9.8), this

CVE-2022-31031 CRITICAL
9.8 Jun 09

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2022-24786 CRITICAL
9.8 Apr 06

PJSIP is a free and open source multimedia communication library written in C. Rated critical severity (CVSS 9.8), this

CVE-2022-24754 CRITICAL
9.8 Mar 11

PJSIP is a free and open source multimedia communication library written in C language. Rated critical severity (CVSS 9.

CVE-2022-23608 CRITICAL
9.8 Feb 22

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

Vendor StatusVendor

Debian

pjproject
Release Status Fixed Version Urgency
(unstable) fixed (unfixed) -

Share

CVE-2026-32945 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy