CVE-2026-28799 — Vulnetix

CVE-2026-28799 PUBLISHED CVSS 8.699999809265137 HIGH

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has been patched in version 2.17.

EPSS 0.06% · 19.8th percentile

Risk Scores

CVSS v4.0

8.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS Score

0.06%

19.8th percentile

Affected Products

Vendor	Product	Versions
pjsip	pjproject	< 2.17, < 2.17, *
pjsip	pjsip	0, 0, 0

Timeline

Mar 3, 2026 CVE ID Reserved
Mar 6, 2026 EPSS Score
Mar 6, 2026 CVE Published
Mar 6, 2026 PoC Published
Mar 7, 2026 EPSS Score
Mar 8, 2026 EPSS Score
Mar 9, 2026 CVE Updated
Mar 10, 2026 EPSS Score
Mar 11, 2026 EPSS Score
Mar 12, 2026 EPSS Score
Mar 13, 2026 EPSS Score
Mar 14, 2026 EPSS Score

References

https://github.com/pjsip/pjproject/security/advisories/GHSA-8fj4-fv9f-hjpc url
https://github.com/pjsip/pjproject/commit/e06ff6c64741cc1675fd3296615910f532f6b1a1 url
https://github.com/asterisk/asterisk/security/advisories/GHSA-x2f3-ccvh-2rr2 advisory
https://github.com/asterisk/asterisk/security/advisories/GHSA-x6qg-jfj6-6f93 advisory
https://github.com/asterisk/asterisk/security/advisories/GHSA-f948-v379-526c advisory
https://github.com/asterisk/asterisk/security/advisories/GHSA-rrfc-6662-c6hm advisory

Open in Interactive Console →