Description
PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the issue.
Published: 2026-02-19
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Underflow
Action: Patch
AI Analysis

Impact

The PJSIP multimedia library contains a component called pjmedia‑video, whose H.264 packetizer has a heap buffer underflow vulnerability. When the packetizer processes fragmented NAL units that do not contain start code delimiters, it performs unchecked pointer arithmetic and can read memory located before the beginning of its allocated buffer. This memory read can expose sensitive data from the heap, although the description does not indicate that it directly leads to code execution or other higher‑level impacts.

Affected Systems

Versions of the PJSIP library older than 2.17 are affected. The flaw resides in the pjmedia‑video component of the PJSIP project. The issue was addressed in release 2.17, which adds validation of H.264 streams and corrects the pointer arithmetic in the packetizer.

Risk and Exploitability

With a CVSS score of 5.1, the vulnerability is considered medium severity. The EPSS score is below 1 %, indicating a low likelihood of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. The likely attack vector, inferred from the nature of the library, is remote via a network stream; an attacker could transmit specially crafted H.264 packets to a system that uses the vulnerable pjmedia‑video component to trigger the underflow.

Generated by OpenCVE AI on April 18, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PJSIP to 2.17 or newer version.
  • If upgrading immediately is not possible, validate incoming H.264 streams to ensure proper NAL unit start codes before they are processed by pjmedia‑video, rejecting malformed packets.
  • Monitor network traffic for anomalous or malformed H.264 frames and apply filtering or rate limiting to reduce the window for exploitation.

Generated by OpenCVE AI on April 18, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip pjsip
CPEs cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*
Vendors & Products Pjsip pjsip
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip
Pjsip pjmedia-video
Vendors & Products Pjsip
Pjsip pjmedia-video

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the issue.
Title PJSIP's pjmedia-video has use-after-free in H264 packetizer when packetizing fragmented NAL
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L'}

Subscriptions

Pjsip Pjmedia-video Pjsip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T21:22:31.050Z

Reserved: 2026-02-11T19:56:24.814Z

Link: CVE-2026-26203

cve-icon Vulnrichment

Updated: 2026-02-19T21:15:32.089Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T20:25:43.113

Modified: 2026-02-20T20:12:31.223

Link: CVE-2026-26203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses