Description
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds checking on the payload descriptor length may cause reads beyond the allocated RTP payload buffer. This issue has been patched in version 2.17. A workaround for this issue involves disabling VP9 codec if not needed.
Published: 2026-03-31
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure
Action: Immediate Patch
AI Analysis

Impact

An out‑of‑bounds read can occur in the PJSIP library when it parses a VP9 scalability structure that has been specially crafted. The payload descriptor length is not properly checked, allowing the unpacketizer to read beyond the bounds of the allocated RTP payload buffer. This weakness is classified as CWE‑125 and may expose internal memory contents, leading to potential information disclosure.

Affected Systems

The vulnerability affects the open‑source PJSIP multimedia communication library, known as pjproject. All releases prior to version 2.17 are impacted. Applications that incorporate any older build of pjproject and process VP9 streams are susceptible to this read error.

Risk and Exploitability

The CVSS v3.1 score of 6.9 indicates a moderate severity, while the EPSS figure of less than 1 % points to a low likelihood of exploitation. The issue does not appear in CISA’s KEV catalog. Based on the description, it is inferred that an attacker may trigger the read by sending crafted VP9 RTP packets to the vulnerable application, though no proven exploit exists at this time.

Generated by OpenCVE AI on April 3, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update pjproject to version 2.17 or later to apply the bounds‑checking patch.
  • If an upgrade cannot be performed immediately, disable the VP9 codec in the application configuration to prevent processing of VP9 streams.
  • Verify the library version at runtime or review the build configuration to confirm the patch is in place.
  • Monitor for new advisories and keep the library upgraded as soon as possible.

Generated by OpenCVE AI on April 3, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Teluu
Teluu pjsip
CPEs cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*
Vendors & Products Teluu
Teluu pjsip

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip
Pjsip pjproject
Vendors & Products Pjsip
Pjsip pjproject

Tue, 31 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds checking on the payload descriptor length may cause reads beyond the allocated RTP payload buffer. This issue has been patched in version 2.17. A workaround for this issue involves disabling VP9 codec if not needed.
Title PJSIP: Heap OOB read in VPX unpacketizer
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Pjsip Pjproject
Teluu Pjsip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T15:20:55.954Z

Reserved: 2026-03-26T16:22:29.034Z

Link: CVE-2026-34235

cve-icon Vulnrichment

Updated: 2026-04-02T15:20:51.562Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T16:16:32.767

Modified: 2026-04-03T14:23:41.230

Link: CVE-2026-34235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:35Z

Weaknesses