Description
PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below, there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. The bug occurs when processing malformed SRTP packets, where the unpacketizer reads a 2-byte NAL unit size field without validating that both bytes are within the payload buffer bounds. The vulnerability affects applications that receive video using H.264. A patch is available at https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch ASAP
AI Analysis

Impact

PJSIP’s H.264 unpacketizer contains a heap‑based buffer overflow that occurs when it processes malformed SRTP packets. The unpacketizer reads a two‑byte NAL unit size field without confirming that the bytes lie within the packet payload, allowing an attacker to overflow the heap and potentially write arbitrary data, which can lead to denial of service or execution of malicious code. The weakness is identified as a buffer overflow (CWE‑120, CWE‑122).

Affected Systems

The vulnerability is present in all releases of PJSIP pjproject version 2.16 and earlier. Any application that embeds pjproject and receives H.264 video over SRTP—such as VoIP or video conferencing software—is impacted. The affected vendor/product is PJSIP pjproject, with the specific bug fixed in releases newer than 2.16.

Risk and Exploitability

The CVSS score of 8.1 classifies this as high severity. However, the EPSS score of less than 1% indicates a very low likelihood of exploitation at present, and it is not listed in the CISA KEV catalog. The likely attack vector is remote network: an adversary could send crafted SRTP packets to a vulnerable application to trigger the overflow, potentially leading to remote code execution. Proper validation of packet bounds would prevent exploitation.

Generated by OpenCVE AI on April 17, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PJSIP pjproject to the latest release that includes the commit fixing the overflow (e.g., 2.17 or later).
  • If an immediate update is not feasible, disable H.264 video decoding or suppress SRTP packet processing until the patch is applied.
  • Restrict inbound SRTP video traffic to trusted networks or block untrusted SRTP packets via firewall or ACL rules.

Generated by OpenCVE AI on April 17, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip pjsip
CPEs cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*
Vendors & Products Pjsip pjsip
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip
Pjsip pjproject
Vendors & Products Pjsip
Pjsip pjproject

Fri, 20 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below, there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. The bug occurs when processing malformed SRTP packets, where the unpacketizer reads a 2-byte NAL unit size field without validating that both bytes are within the payload buffer bounds. The vulnerability affects applications that receive video using H.264. A patch is available at https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491.
Title PJSIP has a Heap-based Buffer Overflow vulnerability in its H.264 unpacketizer
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 8.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Pjsip Pjproject Pjsip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:36:17.964Z

Reserved: 2026-02-16T22:20:28.612Z

Link: CVE-2026-26967

cve-icon Vulnrichment

Updated: 2026-02-20T15:30:24.869Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T01:15:59.953

Modified: 2026-02-20T19:30:22.237

Link: CVE-2026-26967

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-20T00:26:54Z

Links: CVE-2026-26967 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses