Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields only 960 bytes, but codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE (1280) bytes via opus_repacketizer_out_range(). The three pj_memcpy() calls in codec_decode() copied input->size bytes without bounds checking, causing a heap buffer overflow.
AnalysisAI
Heap buffer overflow in PJSIP 2.16 and earlier allows local attackers with user interaction to execute arbitrary code or crash the application via maliciously crafted Opus audio frames. The vulnerability stems from undersized FEC decode buffers (960 bytes at 8 kHz mono) that receive up to 1280 bytes of encoded data without bounds checking during Opus codec decoding. With CVSS 8.5 severity and a public GitHub commit fix available, this represents a high-impact memory corruption vulnerability in a widely-deployed VoIP library, though exploitation requires local access and user interaction (AV:L/UI:P), limiting remote attack scenarios.
Technical ContextAI
PJSIP (pjproject) is a multimedia communication library implementing SIP, SDP, RTP, STUN, TURN, and ICE protocols, widely used in VoIP applications, softphones, and embedded systems. The vulnerability affects the Opus audio codec integration layer where Forward Error Correction (FEC) decode buffers are allocated. The root cause (CWE-122: Heap-based Buffer Overflow) occurs because buffer sizing logic incorrectly calculates capacity based on PCM output requirements using the formula (sample_rate/1000) * 60 * channel_cnt * 2, yielding only 960 bytes for 8 kHz mono audio. However, the codec_parse() function can produce encoded packets up to MAX_ENCODED_PACKET_SIZE (1280 bytes) via opus_repacketizer_out_range(). Three unchecked pj_memcpy() operations in codec_decode() then copy input->size bytes directly into the undersized heap buffers, creating a 320-byte overflow condition. This classic integer truncation and buffer sizing mismatch affects any PJSIP deployment processing Opus-encoded audio streams.
RemediationAI
Upgrade to a patched version of PJSIP incorporating commit 17897e835818f8ee03b1806ddcd7b95ea16d2c0e from the upstream repository (https://github.com/pjsip/pjproject/commit/17897e835818f8ee03b1806ddcd7b95ea16d2c0e). The fix corrects buffer size calculations in the Opus codec decode path to prevent overflow conditions. If immediate patching is not feasible, implement the following compensating controls: disable Opus codec support in PJSIP configuration if alternative codecs are acceptable (trade-off: reduced audio quality and increased bandwidth usage), restrict media processing to trusted sources only through SIP access control lists and authenticated sessions (trade-off: limits functionality for guest/anonymous users), or deploy application sandboxing with restricted process privileges to contain potential exploitation impact (trade-off: may affect interoperability with system resources). Monitor the GitHub advisory page for official release version numbers as the patch transitions from commit to stable release. Prioritize systems processing media from untrusted or internet-facing sources.
Certificate validation bypass in PJSIP versions before 2.17 allows remote attackers to perform man-in-the-middle attacks
Integer overflow in PJSIP 2.16 and earlier enables remote unauthenticated attackers to trigger memory corruption or appl
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overf
PJSIP versions 2.16 and below contain a cascading out-of-bounds heap read vulnerability in the pjsip_multipart_parse() f
Heap out-of-bounds read in PJSIP's VP9 RTP unpacketizer allows remote attackers to read memory beyond allocated buffer b
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24229