Skip to main content

PJSIP CVE-2026-41416

| EUVDEUVD-2026-25598 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-04-24 GitHub_M
8.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Patch released
Apr 28, 2026 - 18:30 nvd
Patch available
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 21:31 vuln.today
Patch available
Apr 24, 2026 - 20:17 EUVD
CVSS changed
Apr 24, 2026 - 19:22 NVD
8.1 (HIGH)
EUVD ID Assigned
Apr 24, 2026 - 19:00 euvd
EUVD-2026-25598
Analysis Generated
Apr 24, 2026 - 19:00 vuln.today
CVE Published
Apr 24, 2026 - 18:40 nvd
HIGH 8.1

DescriptionGitHub Advisory

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an integer overflow in media stream buffer size calculation when processing SDP with asymmetric ptime configuration. The overflow may result in an undersized buffer allocation, which can lead to unexpected application termination or memory corruption This vulnerability is fixed in 2.17.

AnalysisAI

Integer overflow in PJSIP 2.16 and earlier enables remote unauthenticated attackers to trigger memory corruption or application crashes via malicious SDP packets with asymmetric ptime values. The vulnerability causes undersized buffer allocation during media stream processing, creating conditions for memory corruption with potential code execution or denial of service. Fixed in version 2.17 with no public exploit identified at time of analysis, though CVSS 8.1 and network attack vector indicate significant risk for internet-facing VoIP/multimedia applications.

Technical ContextAI

PJSIP (PJPROJECT) is a widely-deployed open-source multimedia communication library written in C, providing SIP protocol stack, media transport (RTP/RTCP), and codec framework for VoIP applications. The vulnerability (CWE-190: Integer Overflow) occurs during SDP (Session Description Protocol) parsing when calculating media stream buffer sizes. SDP's ptime attribute specifies packet duration in milliseconds, and asymmetric configurations (different ptime values for send/receive) trigger an integer overflow in the buffer size arithmetic. This overflow wraps to a small positive value, causing malloc/buffer allocation with insufficient space. Subsequent media stream operations write beyond allocated boundaries, creating classic heap corruption conditions. The affected component handles network-received SDP during session negotiation, making it reachable from remote callers without authentication in typical SIP/VoIP deployments.

RemediationAI

Upgrade PJSIP library to version 2.17 or later, which contains the fix committed in https://github.com/pjsip/pjproject/commit/66fe416c96e957417621b7be16e9e587d159f9bb. For embedded applications, rebuild with patched library and redeploy firmware. Organizations unable to immediately upgrade should implement SDP normalization at SIP proxy/SBC layer: reject or rewrite SDP offers containing asymmetric ptime attributes (different sendonly/recvonly ptime values) or ptime values exceeding reasonable bounds (>200ms). This workaround degrades call compatibility with non-standard endpoints but blocks the overflow trigger. Additional compensating control: restrict SIP access to authenticated peers via firewall rules (block UDP/TCP 5060-5061 from internet, allow only known trunking partners), reducing attack surface from internet-wide to trusted networks. Note this mitigation breaks open SIP services and peer-to-peer calling scenarios. Network-based IDS/IPS can detect anomalous ptime values in SDP, but evasion via encoding variations limits effectiveness. For Asterisk deployments, verify chan_pjsip module version and follow Asterisk security advisories for bundled PJSIP updates.

Share

CVE-2026-41416 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy