PT-2026-34044 · Pjsip · Pjproject
Published
2026-04-21
·
Updated
2026-04-21
·
CVE-2026-40614
CVSS v4.0
8.5
High
| AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
PJSIP versions prior to 2.17
Description
A heap buffer overflow occurs when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers
dec frame[].buf are allocated using a PCM-derived formula that can result in a size of 960 bytes for 8 kHz mono audio. However, the codec parse() function can output encoded frames up to 1280 bytes via opus repacketizer out range(). Consequently, three pj memcpy() calls within the codec decode() function copy input->size bytes without bounds checking, leading to the overflow.Recommendations
Update to a version later than 2.16.
Fix
Heap Based Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pjproject