Description
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds checking on the payload descriptor length may cause reads beyond the allocated RTP payload buffer. This issue has been patched in version 2.17. A workaround for this issue involves disabling VP9 codec if not needed.
Published: 2026-03-31
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Information disclosure
Action: Apply Patch
AI Analysis

Impact

An attacker who can supply a crafted VP9 Scalability Structure (SS) packet to the PJSIP library can trigger a heap out‑of‑bounds read in the VP9 RTP unpacketizer. The vulnerability stems from insufficient bounds checking on the payload descriptor length, allowing the library to read past the end of the allocated RTP payload buffer and potentially expose data residing in neighboring memory. This type of error is reflected by CWE‑125.

Affected Systems

The flaw is present in all releases of pjproject prior to version 2.17. Systems that depend on PJSIP for multimedia communication, such as VoIP gateways, SIP clients, or any application that processes VP9 RTP streams, are affected when they use an unpatched library and accept externally supplied VP9 packets. The patch was incorporated in the 2.17 release, so updating to that or a newer version removes the issue.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability. Because the flaw requires the victim to process a malicious VP9 packet, the attack is likely remote over the network. While no EPSS score is available and the issue is not listed in KEV, the moderate score combined with a potentially active network exposure suggests that the risk should be addressed promptly, especially on systems exposed to untrusted networks.

Generated by OpenCVE AI on March 31, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PJSIP to version 2.17 or newer to remove the heap out‑of‑bounds read issue.
  • If an upgrade is not immediately possible, disable the VP9 codec in the application or system configuration as a temporary workaround.
  • Monitor network traffic for anomalous VP9 RTP packets and apply network filtering if feasible.

Generated by OpenCVE AI on March 31, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip
Pjsip pjproject
Vendors & Products Pjsip
Pjsip pjproject

Tue, 31 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds checking on the payload descriptor length may cause reads beyond the allocated RTP payload buffer. This issue has been patched in version 2.17. A workaround for this issue involves disabling VP9 codec if not needed.
Title PJSIP: Heap OOB read in VPX unpacketizer
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Pjsip Pjproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T15:36:47.466Z

Reserved: 2026-03-26T16:22:29.034Z

Link: CVE-2026-34235

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-31T16:16:32.767

Modified: 2026-03-31T16:16:32.767

Link: CVE-2026-34235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:02Z

Weaknesses