Description
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has been patched in version 2.17.
Published: 2026-03-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A heap use‑after‑free flaw in PJSIP’s event subscription framework allows an attacker to trigger arbitrary code execution by sending a presence unsubscription request (SUBSCRIBE with Expires=0). The vulnerability resides in evsub.c and is catalogued as CWE‑416 and CWE‑825. Because memory is freed and then accessed, an attacker who can craft the unsubscription packet could manipulate program flow or crash the process, leading to potential denial of service or execution of malicious code on the host.

Affected Systems

The affected product is PJSIP from the pjproject vendor. All releases prior to version 2.17 are vulnerable; version 2.17 and later contain the patch that protects against the heap use‑after‑free during presence subscription termination.

Risk and Exploitability

The CVSS score of 8.7 classifies this flaw as high severity. The EPSS score of less than 1% indicates a very low current exploit probability, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, if the affected library is exposed to network traffic or local users with sufficient privileges, the attack vector is likely remote or local depending on the deployment context. The low EPSS score should not diminish the urgency of remediation because the potential impact is severe.

Generated by OpenCVE AI on April 16, 2026 at 11:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PJProject library to version 2.17 or later to apply the official patch for the event subscription flaw.
  • If an immediate upgrade is not possible, disable or remove the presence subscription feature from the application to eliminate the entry point for the use‑after‑free.
  • Continuously monitor network traffic for unexpected SUBSCRIBE packets with Expires=0 and block or log them as potential exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 11:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip pjsip
CPEs cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*
Vendors & Products Pjsip pjsip

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip
Pjsip pjproject
Vendors & Products Pjsip
Pjsip pjproject

Fri, 06 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Fri, 06 Mar 2026 07:00:00 +0000

Type Values Removed Values Added
Description PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has been patched in version 2.17.
Title PJSIP: Heap use-after-free in PJSIP presence subscription termination handler
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pjsip Pjproject Pjsip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T19:50:33.494Z

Reserved: 2026-03-03T14:25:19.245Z

Link: CVE-2026-28799

cve-icon Vulnrichment

Updated: 2026-03-09T19:50:28.703Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T07:16:00.527

Modified: 2026-03-10T19:44:11.920

Link: CVE-2026-28799

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-06T06:36:55Z

Links: CVE-2026-28799 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses