Skip to content
CVSS 7.5 · HIGH

CVE-2026-41416

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an integer overflow in media stream buffer size calculation when processing SDP with asymmetric ptime configuration. The overflow may result in an undersized buffer allocation, which can lead to unexpected application termination or memory corruption This vulnerability is fixed in 2.17.

View on NVD

Analysis

PJSIP 2.16 and earlier contains an integer overflow vulnerability in its media stream buffer calculation during SDP processing. Applications and servers using this library for VoIP or WebRTC, such as Asterisk or custom softphones, are vulnerable to memory corruption or crashes when receiving malicious session descriptions.

Severity

Score: 7.5(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: NONE
I: NONE
A: HIGH
Weakness (CWE): CWE-190

EPSS

Probability of exploitation (next 30 days): 0.0006 (0.1%)
Percentile: 17.0%
EPSS: 2026-05-06

Affects

teluu:pjsip

Technical description

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an integer overflow in media stream buffer size calculation when processing SDP with asymmetric ptime configuration. The overflow may result in an undersized buffer allocation, which can lead to unexpected application termination or memory corruption This vulnerability is fixed in 2.17.

Published: 4/24/2026, 7:17:13 PM
Last modified: 4/28/2026, 6:30:20 PM

References

HomeEventsBlogResourcesTeam