Description
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS transport (sip_transport_tls) can accept connections with invalid or untrusted certificates even when the application explicitly enables certificate verification via verify_server = PJ_TRUE or verify_client = PJ_TRUE. This issue has been patched in version 2.17.
Published: 2026-05-07
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows PJSIP to accept TLS connections presenting invalid or untrusted certificates even when the application explicitly enables certificate verification. The GnuTLS backend silently skips certificate chain validation, enabling an attacker to pose as a legitimate server or client and intercept or modify media streams. The weakness is catalogued as CWE‑295 (Improper Certificate Validation).

Affected Systems

The problem affects the PJSIP multimedia communication library (pjproject) on builds that use GnuTLS as the TLS backend. Versions prior to 2.17 are vulnerable; the patch was incorporated in release 2.17 and later.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity with serious implications for confidentiality and integrity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an adversary establishing a TLS session to a PJSIP endpoint with a forged certificate; because verification is bypassed, the connection is accepted and an attacker can intercept or alter the protected media stream, demonstrating a remote exploit that requires no additional privileges.

Generated by OpenCVE AI on May 7, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to PJSIP 2.17 or later where certificate verification is properly enforced.
  • If upgrading cannot be applied immediately, disable or remove TLS-based transport to eliminate the risk of accepting untrusted connections.
  • As a temporary measure, add application‑level checks after the TLS handshake to reject any certificates that are not explicitly trusted, such as verifying the certificate fingerprint against a whitelist.

Generated by OpenCVE AI on May 7, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Pjsip
Pjsip pjproject
Vendors & Products Pjsip
Pjsip pjproject

Thu, 07 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS transport (sip_transport_tls) can accept connections with invalid or untrusted certificates even when the application explicitly enables certificate verification via verify_server = PJ_TRUE or verify_client = PJ_TRUE. This issue has been patched in version 2.17.
Title GnuTLS backend silently skips certificate chain verification when verify_peer is false
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Pjsip Pjproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T18:47:26.563Z

Reserved: 2026-04-25T05:37:12.116Z

Link: CVE-2026-42225

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T20:16:43.960

Modified: 2026-05-07T20:36:31.717

Link: CVE-2026-42225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T20:30:15Z

Weaknesses