Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionGitHub Advisory
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an integer overflow in media stream buffer size calculation when processing SDP with asymmetric ptime configuration. The overflow may result in an undersized buffer allocation, which can lead to unexpected application termination or memory corruption This vulnerability is fixed in 2.17.
AnalysisAI
Integer overflow in PJSIP 2.16 and earlier enables remote unauthenticated attackers to trigger memory corruption or application crashes via malicious SDP packets with asymmetric ptime values. The vulnerability causes undersized buffer allocation during media stream processing, creating conditions for memory corruption with potential code execution or denial of service. Fixed in version 2.17 with no public exploit identified at time of analysis, though CVSS 8.1 and network attack vector indicate significant risk for internet-facing VoIP/multimedia applications.
Technical ContextAI
PJSIP (PJPROJECT) is a widely-deployed open-source multimedia communication library written in C, providing SIP protocol stack, media transport (RTP/RTCP), and codec framework for VoIP applications. The vulnerability (CWE-190: Integer Overflow) occurs during SDP (Session Description Protocol) parsing when calculating media stream buffer sizes. SDP's ptime attribute specifies packet duration in milliseconds, and asymmetric configurations (different ptime values for send/receive) trigger an integer overflow in the buffer size arithmetic. This overflow wraps to a small positive value, causing malloc/buffer allocation with insufficient space. Subsequent media stream operations write beyond allocated boundaries, creating classic heap corruption conditions. The affected component handles network-received SDP during session negotiation, making it reachable from remote callers without authentication in typical SIP/VoIP deployments.
RemediationAI
Upgrade PJSIP library to version 2.17 or later, which contains the fix committed in https://github.com/pjsip/pjproject/commit/66fe416c96e957417621b7be16e9e587d159f9bb. For embedded applications, rebuild with patched library and redeploy firmware. Organizations unable to immediately upgrade should implement SDP normalization at SIP proxy/SBC layer: reject or rewrite SDP offers containing asymmetric ptime attributes (different sendonly/recvonly ptime values) or ptime values exceeding reasonable bounds (>200ms). This workaround degrades call compatibility with non-standard endpoints but blocks the overflow trigger. Additional compensating control: restrict SIP access to authenticated peers via firewall rules (block UDP/TCP 5060-5061 from internet, allow only known trunking partners), reducing attack surface from internet-wide to trusted networks. Note this mitigation breaks open SIP services and peer-to-peer calling scenarios. Network-based IDS/IPS can detect anomalous ptime values in SDP, but evasion via encoding variations limits effectiveness. For Asterisk deployments, verify chan_pjsip module version and follow Asterisk security advisories for bundled PJSIP updates.
Heap buffer overflow in PJSIP 2.16 and earlier allows local attackers with user interaction to execute arbitrary code or
Certificate validation bypass in PJSIP versions before 2.17 allows remote attackers to perform man-in-the-middle attacks
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overf
PJSIP versions 2.16 and below contain a cascading out-of-bounds heap read vulnerability in the pjsip_multipart_parse() f
Heap out-of-bounds read in PJSIP's VP9 RTP unpacketizer allows remote attackers to read memory beyond allocated buffer b
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25598