VDB
CVE-2026-33069
CVE-2026-33069
PUBLISHED
CVSS 6.900000095367432 MEDIUM
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17.
EPSS 0.05% · 15.5th percentile
Risk Scores
CVSS v4.0
6.900000095367432
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.05%
15.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| pjsip | pjsip | 0, 0, 0 |
| pjsip | pjproject | *, < 2.17, < 2.17 |
Timeline
- Mar 20, 2026 EPSS Score
- Mar 20, 2026 CVE Published
- Mar 20, 2026 PoC Published
- Mar 20, 2026 CVE Updated
- Mar 21, 2026 EPSS Score
- Mar 22, 2026 EPSS Score
- Mar 22, 2026 Coalition ESS Score
- Mar 23, 2026 EPSS Score
- Mar 24, 2026 EPSS Score
- Mar 25, 2026 EPSS Score
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
References
- https://github.com/pjsip/pjproject/security/advisories/GHSA-x5pq-qrp4-fmrj url
- https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db url
- https://github.com/asterisk/asterisk/security/advisories/GHSA-x2f3-ccvh-2rr2 advisory
- https://github.com/asterisk/asterisk/security/advisories/GHSA-x6qg-jfj6-6f93 advisory
- https://github.com/asterisk/asterisk/security/advisories/GHSA-f948-v379-526c advisory
- https://github.com/asterisk/asterisk/security/advisories/GHSA-rrfc-6662-c6hm advisory