Skip to main content

Pjproject EUVDEUVD-2026-13632

| CVE-2026-33069 HIGH
Out-of-bounds Read (CWE-125)
2026-03-20 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 20, 2026 - 08:45 euvd
EUVD-2026-13632
Analysis Generated
Mar 20, 2026 - 08:45 vuln.today
CVE Published
Mar 20, 2026 - 08:21 nvd
HIGH 7.5

DescriptionGitHub Advisory

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17.

AnalysisAI

PJSIP versions 2.16 and below contain a cascading out-of-bounds heap read vulnerability in the pjsip_multipart_parse() function that allows attackers to read 1-2 bytes of adjacent heap memory when processing SIP messages with multipart bodies or SDP content. The vulnerability affects all applications using PJSIP to process incoming SIP messages, as the flaw does not require authentication or user interaction and can be triggered remotely over the network. While the CVSS score of 6.9 reflects moderate severity with low confidentiality impact, the low attack complexity and remote exploitability make this a practical concern for SIP-based communication systems.

Technical ContextAI

PJSIP is a free and open-source multimedia communication library written in C that implements SIP (Session Initiation Protocol) and related protocols for VoIP and real-time communication. The vulnerability exists in the boundary parsing logic of pjsip_multipart_parse(), which processes multipart MIME content and SDP (Session Description Protocol) data within SIP messages. The root cause is classified as CWE-125 (Out-of-bounds Read), specifically a cascading vulnerability where after matching a boundary string delimiter, the parser advances a cursor pointer (curptr) past the delimiter without first verifying that the cursor has not exceeded the buffer boundary. This allows the subsequent read operations to access 1-2 bytes of heap memory that lie outside the intended input buffer, potentially exposing sensitive data or adjacent heap structures. The affected CPE string cpe:2.3:a:pjsip:pjproject:*:*:*:*:*:*:*:* confirms that all versions of the pjproject package up to and including 2.16 are vulnerable.

RemediationAI

Upgrade PJSIP (pjproject) to version 2.17 or later immediately, as this version includes the fix committed at https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db. For systems that cannot upgrade immediately, restrict network access to the SIP service by implementing IP-based access controls that limit incoming SIP traffic to trusted peers and administrative networks, and disable multipart message processing if operationally feasible. Monitor SIP traffic logs for malformed multipart or SDP payloads that might indicate exploitation attempts. After patching, validate the upgrade by reviewing your application build configuration to ensure the new PJSIP version is correctly linked and deployed.

Vendor StatusVendor

Debian

pjproject
Release Status Fixed Version Urgency
(unstable) fixed (unfixed) -

Share

EUVD-2026-13632 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy