Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds checking on the payload descriptor length may cause reads beyond the allocated RTP payload buffer. This issue has been patched in version 2.17. A workaround for this issue involves disabling VP9 codec if not needed.
AnalysisAI
Heap out-of-bounds read in PJSIP's VP9 RTP unpacketizer allows remote attackers to read memory beyond allocated buffer boundaries by sending crafted VP9 Scalability Structure data, potentially disclosing sensitive information. PJSIP versions prior to 2.17 are affected. The vulnerability requires network access but no authentication, authentication complexity, or user interaction, with CVSS score of 6.9 indicating moderate severity driven by availability impact. Vendor-released patch available in version 2.17.
Technical ContextAI
PJSIP (pjproject) is a multimedia communication library that handles RTP (Real-time Transport Protocol) packet processing. The vulnerability exists in the VP9 (a modern video codec) RTP unpacketizer component, specifically in code that parses VP9 Scalability Structure (SS) descriptors embedded in RTP payload headers. The root cause is CWE-125 (Out-of-bounds Read), where insufficient validation of the payload descriptor length field allows an attacker-controlled length value to cause subsequent read operations to access memory beyond the bounds of the allocated RTP payload buffer. VP9 RTP unpacketizers must parse variable-length header extensions; the flaw occurs when this parsing logic does not verify that descriptor lengths remain within buffer boundaries before dereferencing.
RemediationAI
Vendor-released patch: PJSIP version 2.17 or later. Organizations should upgrade to PJSIP 2.17 immediately if using VP9 codec features. The upstream fix is available in commit f4c7d08211da1fe2ad1504434a0ad99d12aa7536 (https://github.com/pjsip/pjproject/commit/f4c7d08211da1fe2ad1504434a0ad99d12aa7536) for those building from source. If upgrading is not immediately feasible, a workaround is available: disable VP9 codec support in PJSIP configuration if VP9 RTP streams are not required for your deployment. This eliminates the vulnerable code path without a version change. Consult https://github.com/pjsip/pjproject/security/advisories/GHSA-pqrm-53pc-wx28 for detailed patching instructions specific to your build configuration.
Heap buffer overflow in PJSIP 2.16 and earlier allows local attackers with user interaction to execute arbitrary code or
Certificate validation bypass in PJSIP versions before 2.17 allows remote attackers to perform man-in-the-middle attacks
Integer overflow in PJSIP 2.16 and earlier enables remote unauthenticated attackers to trigger memory corruption or appl
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overf
PJSIP versions 2.16 and below contain a cascading out-of-bounds heap read vulnerability in the pjsip_multipart_parse() f
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17494