EUVD-2026-24229CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields only 960 bytes, but codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE (1280) bytes via opus_repacketizer_out_range(). The three pj_memcpy() calls in codec_decode() copied input->size bytes without bounds checking, causing a heap buffer overflow.
AnalysisAI
Heap buffer overflow in PJSIP 2.16 and earlier allows local attackers with user interaction to execute arbitrary code or crash the application via maliciously crafted Opus audio frames. The vulnerability stems from undersized FEC decode buffers (960 bytes at 8 kHz mono) that receive up to 1280 bytes of encoded data without bounds checking during Opus codec decoding. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all systems running PJSIP 2.16 or earlier (check version via 'pjsip --version' or application UI). Within 7 days: Test and deploy PJSIP 2.17 or later in non-production environments; restrict user ability to open untrusted audio files pending upgrade. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today