Skip to main content

Pjproject CVE-2026-34235

| EUVDEUVD-2026-17494 MEDIUM
Out-of-bounds Read (CWE-125)
2026-03-31 GitHub_M
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.17
EUVD ID Assigned
Mar 31, 2026 - 16:00 euvd
EUVD-2026-17494
Analysis Generated
Mar 31, 2026 - 16:00 vuln.today
CVE Published
Mar 31, 2026 - 15:36 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds checking on the payload descriptor length may cause reads beyond the allocated RTP payload buffer. This issue has been patched in version 2.17. A workaround for this issue involves disabling VP9 codec if not needed.

AnalysisAI

Heap out-of-bounds read in PJSIP's VP9 RTP unpacketizer allows remote attackers to read memory beyond allocated buffer boundaries by sending crafted VP9 Scalability Structure data, potentially disclosing sensitive information. PJSIP versions prior to 2.17 are affected. The vulnerability requires network access but no authentication, authentication complexity, or user interaction, with CVSS score of 6.9 indicating moderate severity driven by availability impact. Vendor-released patch available in version 2.17.

Technical ContextAI

PJSIP (pjproject) is a multimedia communication library that handles RTP (Real-time Transport Protocol) packet processing. The vulnerability exists in the VP9 (a modern video codec) RTP unpacketizer component, specifically in code that parses VP9 Scalability Structure (SS) descriptors embedded in RTP payload headers. The root cause is CWE-125 (Out-of-bounds Read), where insufficient validation of the payload descriptor length field allows an attacker-controlled length value to cause subsequent read operations to access memory beyond the bounds of the allocated RTP payload buffer. VP9 RTP unpacketizers must parse variable-length header extensions; the flaw occurs when this parsing logic does not verify that descriptor lengths remain within buffer boundaries before dereferencing.

RemediationAI

Vendor-released patch: PJSIP version 2.17 or later. Organizations should upgrade to PJSIP 2.17 immediately if using VP9 codec features. The upstream fix is available in commit f4c7d08211da1fe2ad1504434a0ad99d12aa7536 (https://github.com/pjsip/pjproject/commit/f4c7d08211da1fe2ad1504434a0ad99d12aa7536) for those building from source. If upgrading is not immediately feasible, a workaround is available: disable VP9 codec support in PJSIP configuration if VP9 RTP streams are not required for your deployment. This eliminates the vulnerable code path without a version change. Consult https://github.com/pjsip/pjproject/security/advisories/GHSA-pqrm-53pc-wx28 for detailed patching instructions specific to your build configuration.

Share

CVE-2026-34235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy