Description
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an out-of-bounds read when parsing a malformed Content-ID URI in SIP multipart message body. Insufficient length validation can cause reads beyond the intended buffer bounds. This vulnerability is fixed in 2.17.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/pjsip/pjproject/security/advisories/GHSA-935m-fmf5-j4pm
X_Refsource_Misc x_refsource_misc
https://github.com/pjsip/pjproject/commit/4225a93c16661538005017883fbc8f1ea1d5f4b0
Scores
CVSS v3
9.1
EPSS
0.0031
EPSS Percentile
22.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-125
Status
published
Products (2)
pjsip/pjproject
< 2.17
teluu/pjsip
< 2.17
Published
Apr 24, 2026
Tracked Since
Apr 24, 2026