CVE-2026-32945

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-32945
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who rely on the OS resolver (e.g., getaddrinfo()) by not configuring a nameserver, or those using an external resolver via pjsip_resolver_set_ext_resolver(). This issue is fixed in version 2.17. For users unable to upgrade, a workaround is to disable DNS resolution in the PJSIP config (by setting nameserver_count to zero) or to use an external resolver implementation instead.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/pjsip/pjproject/commit/5311aee398ae9d623829a6bad7b679a193c9e199 Patch
https://github.com/pjsip/pjproject/security/advisories/GHSA-jr2p-p2w4-rr9q Mitigation Patch Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*
History

23 Mar 2026, 20:54

Type Values Removed Values Added
First Time Pjsip
Pjsip pjsip
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
References () https://github.com/pjsip/pjproject/commit/5311aee398ae9d623829a6bad7b679a193c9e199 - () https://github.com/pjsip/pjproject/commit/5311aee398ae9d623829a6bad7b679a193c9e199 - Patch
References () https://github.com/pjsip/pjproject/security/advisories/GHSA-jr2p-p2w4-rr9q - () https://github.com/pjsip/pjproject/security/advisories/GHSA-jr2p-p2w4-rr9q - Mitigation, Patch, Vendor Advisory
CPE cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*
Summary
  • (es) PJSIP es una biblioteca de comunicación multimedia de código abierto y gratuita escrita en C. Las versiones 2.16 e inferiores tienen una vulnerabilidad de desbordamiento de búfer basado en montón (Heap-based Buffer Overflow) en el gestor de longitud de nombre del analizador DNS. Esto afecta a las aplicaciones que utilizan el resolvedor DNS integrado de PJSIP, como aquellas configuradas con pjsua_config.nameserver o UaConfig.nameserver en PJSUA/PJSUA2. No afecta a los usuarios que dependen del resolvedor del sistema operativo (por ejemplo, getaddrinfo()) al no configurar un servidor de nombres, o a aquellos que utilizan un resolvedor externo a través de pjsip_resolver_set_ext_resolver(). Este problema está solucionado en la versión 2.17. Para los usuarios que no pueden actualizar, una solución alternativa es deshabilitar la resolución DNS en la configuración de PJSIP (estableciendo nameserver_count en cero) o utilizar una implementación de resolvedor externo en su lugar.

20 Mar 2026, 04:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-20 04:16

Updated : 2026-03-23 20:54

NVD link : CVE-2026-32945

Mitre link : CVE-2026-32945

CVE.ORG link : CVE-2026-32945

JSON object : View

Products Affected

pjsip

  • pjsip
CWE
CWE-122

Heap-based Buffer Overflow