Description
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17.
Published: 2026-03-20
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a heap use‑after‑free race condition in the ICE (Interactive Connectivity Establishment) session handling of PJSIP. The bug can allow a crafted input that frees memory still referenced by a callback, creating a dangling pointer. From this state an attacker could execute arbitrary code or crash the process, potentially affecting confidentiality, integrity, or availability of the communication data. The attack vector is inferred to arise when an application using PJSIP processes ICE traffic; it is unclear whether the vulnerability requires local or remote interaction, but any component that initiates or receives ICE messages could be the entry point.

Affected Systems

Affected products include the PJSIP pjproject library version 2.16 and earlier. The issue is present in the ICE session code of this library and applies to any build of pjproject used for network communication. The vendor, PJSIP, states that the functionality is fixed in version 2.17 and later.

Risk and Exploitability

The CVSS score of 8 indicates high severity. The EPSS metric is below 1%, which suggests a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Despite the low observed likelihood, the nature of the bug—allowing arbitrary code execution—warrants prompt action, especially if an attacker can influence ICE traffic, potentially from a remote source or a compromised local process.

Generated by OpenCVE AI on March 24, 2026 at 03:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PJSIP to version 2.17 or newer.
  • If an upgrade is not immediately feasible, temporarily disable ICE functionality in the application until the fixed version is applied.

Generated by OpenCVE AI on March 24, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip pjsip
CPEs cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*
Vendors & Products Pjsip pjsip
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip
Pjsip pjproject
Vendors & Products Pjsip
Pjsip pjproject

Fri, 20 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Description PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17.
Title PJSIP has ICE session use-after-free race conditions
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Pjsip Pjproject Pjsip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:08:20.801Z

Reserved: 2026-03-17T00:05:53.283Z

Link: CVE-2026-32942

cve-icon Vulnrichment

Updated: 2026-03-20T17:12:47.243Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T04:16:49.743

Modified: 2026-03-23T20:51:20.980

Link: CVE-2026-32942

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:26Z

Weaknesses