Description
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames.
Published: 2026-02-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a heap buffer overflow in the PJNATH ICE Session of the PJSIP library. When the library processes credentials that contain an excessively long username, a memory overwrite occurs. If exploited, this could allow a malicious actor to inject code or corrupt data, potentially leading to arbitrary code execution or service disruption. The flaw directly compromises the integrity of the process handling the credentials and, if successful, may also expose sensitive information.

Affected Systems

The issue affects the PJSIP (PJProject) library, versions 2.16 and earlier. Any application that incorporates PJProject and uses ICE to process authentication credentials is at risk. Typical deployments include VoIP servers, SIP proxy or media transport services that rely on the open-source library.

Risk and Exploitability

The CVSS score is 8.1, indicating high severity. The EPSS score is less than 1%, showing a low probability of exploitation in the wild at present. The vulnerability is not listed in CISA’s KEV catalog. Based on how the bug is triggered—a crafted long username in an ICE credential—the likely attack vector is remote, where an attacker sends a specially crafted SIP packet or credential to a vulnerable service.

Generated by OpenCVE AI on April 17, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pjproject to the latest version (2.17 or newer) which contains the buffer overflow fix.
  • If an immediate upgrade is not possible, temporarily disable ICE handling or reject credential processing until the patch can be applied.
  • Recompile the library with security hardening options such as stack protection, address space layout randomization, and enable bounds checking where available.

Generated by OpenCVE AI on April 17, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8122-1 PJSIP vulnerabilities
History

Thu, 19 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip pjsip
CPEs cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*
Vendors & Products Pjsip pjsip
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip
Pjsip pjproject
Vendors & Products Pjsip
Pjsip pjproject

Wed, 11 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames.
Title PJSIP has a heap buffer overflow in ICE with long username
Weaknesses CWE-120
References
Metrics cvssV4_0

{'score': 8.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Pjsip Pjproject Pjsip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T21:20:58.443Z

Reserved: 2026-02-09T17:41:55.858Z

Link: CVE-2026-25994

cve-icon Vulnrichment

Updated: 2026-02-12T21:20:54.996Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T21:16:20.813

Modified: 2026-02-19T19:23:29.843

Link: CVE-2026-25994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:27Z

Weaknesses