Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a
stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when using pre-computed digest
credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential data using cred_info->data.slen as
the length without an upper-bound check, which can overflow the fixed-size ha1 stack buffer (128 bytes) if
data.slen exceeds the expected digest string length. (CVE-2026-40892)
- PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a
buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively
long usernames. (CVE-2026-25994)
- PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical
heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed
H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic
that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the
issue. (CVE-2026-26203)
- PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below,
there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. The bug occurs
when processing malformed SRTP packets, where the unpacketizer reads a 2-byte NAL unit size field without
validating that both bytes are within the payload buffer bounds. The vulnerability affects applications
that receive video using H.264. A patch is available at
https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491. (CVE-2026-26967)
- PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a
heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is
triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has been patched in
version 2.17. (CVE-2026-28799)
Solution
Update the pjproject library and its related packages to version 2.17-r0 or later.
Plugin Details
Supported Sensors: Agentless Assessment
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Vulnerability Information
Exploit Ease: Exploits are available
Vulnerability Publication Date: 2/11/2026
Reference Information
CVE: CVE-2026-25994, CVE-2026-26203, CVE-2026-26967, CVE-2026-28799, CVE-2026-29068, CVE-2026-32942, CVE-2026-32945, CVE-2026-33069, CVE-2026-34235, CVE-2026-40614, CVE-2026-40892