Skip to main content

PJSIP CVE-2026-40614

| EUVDEUVD-2026-24229 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-04-21 GitHub_M
8.5
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 19:47 vuln.today
CVSS changed
Apr 21, 2026 - 19:22 NVD
8.5 (HIGH)
EUVD ID Assigned
Apr 21, 2026 - 19:00 euvd
EUVD-2026-24229
Analysis Generated
Apr 21, 2026 - 19:00 vuln.today
CVE Published
Apr 21, 2026 - 18:04 nvd
HIGH 8.5

DescriptionGitHub Advisory

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields only 960 bytes, but codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE (1280) bytes via opus_repacketizer_out_range(). The three pj_memcpy() calls in codec_decode() copied input->size bytes without bounds checking, causing a heap buffer overflow.

AnalysisAI

Heap buffer overflow in PJSIP 2.16 and earlier allows local attackers with user interaction to execute arbitrary code or crash the application via maliciously crafted Opus audio frames. The vulnerability stems from undersized FEC decode buffers (960 bytes at 8 kHz mono) that receive up to 1280 bytes of encoded data without bounds checking during Opus codec decoding. With CVSS 8.5 severity and a public GitHub commit fix available, this represents a high-impact memory corruption vulnerability in a widely-deployed VoIP library, though exploitation requires local access and user interaction (AV:L/UI:P), limiting remote attack scenarios.

Technical ContextAI

PJSIP (pjproject) is a multimedia communication library implementing SIP, SDP, RTP, STUN, TURN, and ICE protocols, widely used in VoIP applications, softphones, and embedded systems. The vulnerability affects the Opus audio codec integration layer where Forward Error Correction (FEC) decode buffers are allocated. The root cause (CWE-122: Heap-based Buffer Overflow) occurs because buffer sizing logic incorrectly calculates capacity based on PCM output requirements using the formula (sample_rate/1000) * 60 * channel_cnt * 2, yielding only 960 bytes for 8 kHz mono audio. However, the codec_parse() function can produce encoded packets up to MAX_ENCODED_PACKET_SIZE (1280 bytes) via opus_repacketizer_out_range(). Three unchecked pj_memcpy() operations in codec_decode() then copy input->size bytes directly into the undersized heap buffers, creating a 320-byte overflow condition. This classic integer truncation and buffer sizing mismatch affects any PJSIP deployment processing Opus-encoded audio streams.

RemediationAI

Upgrade to a patched version of PJSIP incorporating commit 17897e835818f8ee03b1806ddcd7b95ea16d2c0e from the upstream repository (https://github.com/pjsip/pjproject/commit/17897e835818f8ee03b1806ddcd7b95ea16d2c0e). The fix corrects buffer size calculations in the Opus codec decode path to prevent overflow conditions. If immediate patching is not feasible, implement the following compensating controls: disable Opus codec support in PJSIP configuration if alternative codecs are acceptable (trade-off: reduced audio quality and increased bandwidth usage), restrict media processing to trusted sources only through SIP access control lists and authenticated sessions (trade-off: limits functionality for guest/anonymous users), or deploy application sandboxing with restricted process privileges to contain potential exploitation impact (trade-off: may affect interoperability with system resources). Monitor the GitHub advisory page for official release version numbers as the patch transitions from commit to stable release. Prioritize systems processing media from untrusted or internet-facing sources.

Share

CVE-2026-40614 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy