Alpine: multiple pjproject packages: security update to 2.17-r0

critical Tenable Self-Hosted Container Security Plugin ID 444415

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a
stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when using pre-computed digest
credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential data using cred_info->data.slen as
the length without an upper-bound check, which can overflow the fixed-size ha1 stack buffer (128 bytes) if
data.slen exceeds the expected digest string length. (CVE-2026-40892)

- PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a
buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively
long usernames. (CVE-2026-25994)

- PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical
heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed
H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic
that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the
issue. (CVE-2026-26203)

- PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below,
there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. The bug occurs
when processing malformed SRTP packets, where the unpacketizer reads a 2-byte NAL unit size field without
validating that both bytes are within the payload buffer bounds. The vulnerability affects applications
that receive video using H.264. A patch is available at
https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491. (CVE-2026-26967)

- PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a
heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is
triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has been patched in
version 2.17. (CVE-2026-28799)

Solution

Update the pjproject library and its related packages to version 2.17-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-25994

https://security.alpinelinux.org/vuln/CVE-2026-26203

https://security.alpinelinux.org/vuln/CVE-2026-26967

https://security.alpinelinux.org/vuln/CVE-2026-28799

https://security.alpinelinux.org/vuln/CVE-2026-29068

https://security.alpinelinux.org/vuln/CVE-2026-32942

https://security.alpinelinux.org/vuln/CVE-2026-32945

https://security.alpinelinux.org/vuln/CVE-2026-33069

https://security.alpinelinux.org/vuln/CVE-2026-34235

https://security.alpinelinux.org/vuln/CVE-2026-40614

https://security.alpinelinux.org/vuln/CVE-2026-40892

Plugin Details

Severity: Critical

ID: 444415

Version: Revision 1.2

Type: Local

Published: 7/5/2026

Updated: 7/6/2026

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.48

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-40892

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.1

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/11/2026

Reference Information

CVE: CVE-2026-25994, CVE-2026-26203, CVE-2026-26967, CVE-2026-28799, CVE-2026-29068, CVE-2026-32942, CVE-2026-32945, CVE-2026-33069, CVE-2026-34235, CVE-2026-40614, CVE-2026-40892