VDB

CVE-2026-26203

CVE-2026-26203 PUBLISHED CVSS 5.099999904632568 MEDIUM

PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the issue.

EPSS 0.02% · 5.6th percentile

Risk Scores

CVSS v4.0
5.099999904632568
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L
EPSS Score
0.02%
5.6th percentile

Affected Products

VendorProductVersions
pjsippjsip0, 0
pjsippjmedia-video< 2.17, < 2.17

Timeline

  • Feb 11, 2026 CVE ID Reserved
  • Feb 19, 2026 CVE Published
  • Feb 19, 2026 CVE Updated
  • Feb 20, 2026 EPSS Score
  • Feb 22, 2026 EPSS Score
  • Feb 23, 2026 EPSS Score
  • Feb 25, 2026 EPSS Score
  • Feb 27, 2026 EPSS Score
  • Feb 28, 2026 EPSS Score
  • Mar 2, 2026 EPSS Score
  • Mar 4, 2026 EPSS Score
  • Mar 5, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›