Source: asterisk X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, Multiple security issues were reported against pjsip and fixed in 2.17. Asterisk bundles 2.16 in unstable: CVE-2025-65102[0]: | PJSIP is a free and open source multimedia communication library. | Prior to version 2.16, Opus PLC may zero-fill the input frame as | long as the decoder ptime, while the input frame length, which is | based on stream ptime, may be less than that. This issue affects | PJSIP users who use the Opus audio codec in receiving direction. The | vulnerability can lead to unexpected application termination due to | a memory overwrite. This issue has been patched in version 2.16. CVE-2026-25994[1]: | PJSIP is a free and open source multimedia communication library | written in C. In 2.16 and earlier, a buffer overflow vulnerability | exists in PJNATH ICE Session when processing credentials with | excessively long usernames. CVE-2026-41415[2]: | PJSIP is a free and open source multimedia communication library | written in C. In 2.16 and earlier, there is an out-of-bounds read | when parsing a malformed Content-ID URI in SIP multipart message | body. Insufficient length validation can cause reads beyond the | intended buffer bounds. This vulnerability is fixed in 2.17. CVE-2026-40614[3]: | PJSIP is a free and open source multimedia communication library | written in C. In 2.16 and earlier, there is a buffer overflow when | decoding Opus audio frames due to insufficient buffer size | validation in the Opus codec decode path. The FEC decode buffers | (dec_frame[].buf) were allocated based on a PCM-derived formula: | (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields | only 960 bytes, but codec_parse() can output encoded frames up to | MAX_ENCODED_PACKET_SIZE (1280) bytes via | opus_repacketizer_out_range(). The three pj_memcpy() calls in | codec_decode() copied input->size bytes without bounds checking, | causing a heap buffer overflow. CVE-2026-40892[4]: | PJSIP is a free and open source multimedia communication library | written in C. In 2.16 and earlier, a stack buffer overflow exists in | pjsip_auth_create_digest2() in PJSIP when using pre-computed digest | credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential | data using cred_info->data.slen as the length without an upper-bound | check, which can overflow the fixed-size ha1 stack buffer (128 | bytes) if data.slen exceeds the expected digest string length. CVE-2026-41416[5]: | PJSIP is a free and open source multimedia communication library | written in C. In 2.16 and earlier, there is an integer overflow in | media stream buffer size calculation when processing SDP with | asymmetric ptime configuration. The overflow may result in an | undersized buffer allocation, which can lead to unexpected | application termination or memory corruption This vulnerability is | fixed in 2.17. CVE-2026-26203[6]: | PJSIP is a free and open source multimedia communication library. | Versions prior to 2.17 have a critical heap buffer underflow | vulnerability in PJSIP's H.264 packetizer. The bug occurs when | processing malformed H.264 bitstreams without NAL unit start codes, | where the packetizer performs unchecked pointer arithmetic that can | read from memory located before the allocated buffer. Version 2.17 | contains a patch for the issue. CVE-2026-26967[7]: | PJSIP is a free and open source multimedia communication library | written in C. In versions 2.16 and below, there is a critical Heap- | based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. | The bug occurs when processing malformed SRTP packets, where the | unpacketizer reads a 2-byte NAL unit size field without validating | that both bytes are within the payload buffer bounds. The | vulnerability affects applications that receive video using H.264. A | patch is available at https://github.com/pjsip/pjproject/commit/f821 | c214e52b11bae11e4cd3c7f0864538fb5491. CVE-2026-32942[8]: | PJSIP is a free and open source multimedia communication library | written in C. Versions 2.16 and below contain a heap use-after-free | vulnerability in the ICE session that occurs when there are race | conditions between session destruction and the callbacks. This issue | has been fixed in version 2.17. CVE-2026-28799[9]: | PJSIP is a free and open source multimedia communication library | written in C. Prior to version 2.17, a heap use-after-free | vulnerability exists in PJSIP's event subscription framework | (evsub.c) that is triggered during presence unsubscription | (SUBSCRIBE with Expires=0). This issue has been patched in version | 2.17. CVE-2026-29068[10]: | PJSIP is a free and open source multimedia communication library | written in C. Prior to version 2.17, there is a stack buffer | overflow vulnerability when pjmedia-codec parses an RTP payload | contain more frames than the caller-provided frames can hold. This | issue has been patched in version 2.17. CVE-2026-32945[11]: | PJSIP is a free and open source multimedia communication library | written in C. Versions 2.16 and below have a Heap-based Buffer | Overflowvulnerability in the DNS parser's name length handler. | Thisimpacts applications using PJSIP's built-in DNS resolver, such | as those configured with pjsua_config.nameserver or | UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who | rely on the OS resolver (e.g., getaddrinfo()) by not configuring a | nameserver, or those using an external resolver via | pjsip_resolver_set_ext_resolver(). This issue is fixed in version | 2.17. For users unable to upgrade, a workaround is to disable DNS | resolution in the PJSIP config (by setting nameserver_count to zero) | or to use an external resolver implementation instead. CVE-2026-33069[12]: | PJSIP is a free and open source multimedia communication library | written in C. Versions 2.16 and below have a cascading out-of-bounds | heap read in pjsip_multipart_parse(). After boundary string | matching, curptr is advanced past the delimiter without verifying it | has not reached the buffer end. This allows 1-2 bytes of adjacent | heap memory to be read. All applications that process incoming SIP | messages with multipart bodies or SDP content are potentially | affected. This issue is resolved in version 2.17. CVE-2026-34235[13]: | PJSIP is a free and open source multimedia communication library | written in C. Prior to version 2.17, a heap out-of-bounds read | vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs | when parsing crafted VP9 Scalability Structure (SS) data. | Insufficient bounds checking on the payload descriptor length may | cause reads beyond the allocated RTP payload buffer. This issue has | been patched in version 2.17. A workaround for this issue involves | disabling VP9 codec if not needed. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-65102 https://www.cve.org/CVERecord?id=CVE-2025-65102 [1] https://security-tracker.debian.org/tracker/CVE-2026-25994 https://www.cve.org/CVERecord?id=CVE-2026-25994 [2] https://security-tracker.debian.org/tracker/CVE-2026-41415 https://www.cve.org/CVERecord?id=CVE-2026-41415 [3] https://security-tracker.debian.org/tracker/CVE-2026-40614 https://www.cve.org/CVERecord?id=CVE-2026-40614 [4] https://security-tracker.debian.org/tracker/CVE-2026-40892 https://www.cve.org/CVERecord?id=CVE-2026-40892 [5] https://security-tracker.debian.org/tracker/CVE-2026-41416 https://www.cve.org/CVERecord?id=CVE-2026-41416 [6] https://security-tracker.debian.org/tracker/CVE-2026-26203 https://www.cve.org/CVERecord?id=CVE-2026-26203 [7] https://security-tracker.debian.org/tracker/CVE-2026-26967 https://www.cve.org/CVERecord?id=CVE-2026-26967 [8] https://security-tracker.debian.org/tracker/CVE-2026-32942 https://www.cve.org/CVERecord?id=CVE-2026-32942 [9] https://security-tracker.debian.org/tracker/CVE-2026-28799 https://www.cve.org/CVERecord?id=CVE-2026-28799 [10] https://security-tracker.debian.org/tracker/CVE-2026-29068 https://www.cve.org/CVERecord?id=CVE-2026-29068 [11] https://security-tracker.debian.org/tracker/CVE-2026-32945 https://www.cve.org/CVERecord?id=CVE-2026-32945 [12] https://security-tracker.debian.org/tracker/CVE-2026-33069 https://www.cve.org/CVERecord?id=CVE-2026-33069 [13] https://security-tracker.debian.org/tracker/CVE-2026-34235 https://www.cve.org/CVERecord?id=CVE-2026-34235 Please adjust the affected versions in the BTS as needed.
