Description
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields only 960 bytes, but codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE (1280) bytes via opus_repacketizer_out_range(). The three pj_memcpy() calls in codec_decode() copied input->size bytes without bounds checking, causing a heap buffer overflow.
Published: 2026-04-21
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

PJSIP versions 2.16 and earlier contain a heap buffer overflow in the Opus codec decode path caused by insufficient buffer size validation when allocating FEC decode buffers. The three memcpy calls copy the full input frame size without checking bounds, so a maliciously sized frame can overwrite adjacent heap memory. The flaw is a classic CWE‑122 situation that can allow an attacker to execute arbitrary code or crash the application.

Affected Systems

The affected product is the PJSIP multimedia library (pjproject) released before version 2.17. Any deployment that uses pjsip 2.16 or earlier for Opus audio decoding is vulnerable. No additional vendor or product details are provided beyond the pjproject identifier.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity flaw with significant impact. EPSS data is not available, so the exploitation likelihood is uncertain, but the vulnerability is not listed in CISA KEV. The likely attack vector is through network traffic, as an attacker can send crafted Opus frames to any service using the vulnerable decoder, potentially leading to arbitrary code execution. The absence of a mitigation in the advisory suggests that deploying the fixed version is critical for reducing risk.

Generated by OpenCVE AI on April 22, 2026 at 05:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of pjproject (2.17 or newer) where the buffer size validation fix has been applied.
  • If an immediate upgrade is not possible, isolate the affected service from untrusted networks or reject Opus frames larger than 960 bytes to reduce the risk of a buffer overflow.
  • Conduct a security audit of the media server to ensure that no other similar overflows exist and that all codec configurations enforce proper bounds checking.

Generated by OpenCVE AI on April 22, 2026 at 05:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip pjsip
CPEs cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*
Vendors & Products Pjsip pjsip
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip
Pjsip pjproject
Vendors & Products Pjsip
Pjsip pjproject

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields only 960 bytes, but codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE (1280) bytes via opus_repacketizer_out_range(). The three pj_memcpy() calls in codec_decode() copied input->size bytes without bounds checking, causing a heap buffer overflow.
Title PJSIP: Heap buffer overflow in Opus codec decoding
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pjsip Pjproject Pjsip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:33:23.816Z

Reserved: 2026-04-14T14:07:59.642Z

Link: CVE-2026-40614

cve-icon Vulnrichment

Updated: 2026-04-22T13:33:18.188Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T19:16:17.880

Modified: 2026-04-23T16:09:54.393

Link: CVE-2026-40614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:45:09Z

Weaknesses