Description
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who rely on the OS resolver (e.g., getaddrinfo()) by not configuring a nameserver, or those using an external resolver via pjsip_resolver_set_ext_resolver(). This issue is fixed in version 2.17. For users unable to upgrade, a workaround is to disable DNS resolution in the PJSIP config (by setting nameserver_count to zero) or to use an external resolver implementation instead.
Published: 2026-03-20
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

PJSIP is a free and open source multimedia communication library written in C. A heap‑based buffer overflow exists in the DNS parser’s name‑length handler, which can allow an attacker to trigger arbitrary code execution by sending a specially crafted DNS query. The vulnerability is marked as CWE‑122 and can lead to loss of confidentiality, integrity, and availability of any system that processes untrusted DNS requests through the affected library.

Affected Systems

The flaw affects pjproject (PJSIP) packages with versions 2.16 and earlier. Applications that use PJSIP’s built‑in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2, are at risk. Systems that rely on the operating system resolver (e.g., getaddrinfo()) and do not configure a nameserver are not affected, nor are those that use an external resolver through pjsip_resolver_set_ext_resolver().

Risk and Exploitability

The vulnerability carries a CVSS score of 8.4, indicating high severity, but the EPSS score is less than 1 %, which suggests a low probability of being actively exploited in the wild. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector involves malicious DNS traffic; this is inferred from the nature of the DNS parser usage. Exploitation would require the target to accept DNS queries processed by the vulnerable library, providing a pathway for remote code execution.

Generated by OpenCVE AI on March 24, 2026 at 03:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading PJSIP to version 2.17 or later.
  • If an upgrade is not immediately possible, disable DNS resolution in the PJSIP configuration by setting nameserver_count to zero.
  • Alternatively, configure PJSIP to use an external resolver via pjsip_resolver_set_ext_resolver().

Generated by OpenCVE AI on March 24, 2026 at 03:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip pjsip
CPEs cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*
Vendors & Products Pjsip pjsip
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip
Pjsip pjproject
Vendors & Products Pjsip
Pjsip pjproject

Fri, 20 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Description PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who rely on the OS resolver (e.g., getaddrinfo()) by not configuring a nameserver, or those using an external resolver via pjsip_resolver_set_ext_resolver(). This issue is fixed in version 2.17. For users unable to upgrade, a workaround is to disable DNS resolution in the PJSIP config (by setting nameserver_count to zero) or to use an external resolver implementation instead.
Title PJSIP is vulnerable to Heap-based Buffer Overflow through DNS parser
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pjsip Pjproject Pjsip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T14:28:15.761Z

Reserved: 2026-03-17T00:05:53.283Z

Link: CVE-2026-32945

cve-icon Vulnrichment

Updated: 2026-03-20T14:28:12.755Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T04:16:49.927

Modified: 2026-03-23T20:54:34.997

Link: CVE-2026-32945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:25Z

Weaknesses