CVE-2026-32942

Published: Mar 20, 2026Modified: Mar 23, 2026

8.0

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security-advisories@github.com (Secondary)

Description

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17.

Affected (1)

Products: Pjsip: Pjsip

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pjsip Pjsip	Before 2.17

Related CWEs

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

References (3)

https://github.com/pjsip/pjproject/commit/c9caceddabda7f18337b2a82d25d65f6224b450a

Source: security-advisories@github.com

Patch

https://github.com/pjsip/pjproject/issues/1451

Source: security-advisories@github.com

Issue Tracking

https://github.com/pjsip/pjproject/security/advisories/GHSA-g88q-c2hm-q7p7

Source: security-advisories@github.com

PatchVendor Advisory

Timeline

No history available yet.