Bug#1134884: asterisk: CVE-2025-65102 CVE-2026-25994 CVE-2026-41415 CVE-2026-40614 CVE-2026-40892 CVE-2026-41416 CVE-2026-26203 CVE-2026-26967 CVE-2026-32942 CVE-2026-28799 CVE-2026-29068 CVE-2026-32945 CVE-2026-33069 CVE-2026-34235
Moritz Mühlenhoff
jmm at inutil.org
Sat Apr 25 12:04:58 BST 2026
Source: asterisk
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
Multiple security issues were reported against pjsip and fixed
in 2.17. Asterisk bundles 2.16 in unstable:
CVE-2025-65102[0]:
| PJSIP is a free and open source multimedia communication library.
| Prior to version 2.16, Opus PLC may zero-fill the input frame as
| long as the decoder ptime, while the input frame length, which is
| based on stream ptime, may be less than that. This issue affects
| PJSIP users who use the Opus audio codec in receiving direction. The
| vulnerability can lead to unexpected application termination due to
| a memory overwrite. This issue has been patched in version 2.16.
CVE-2026-25994[1]:
| PJSIP is a free and open source multimedia communication library
| written in C. In 2.16 and earlier, a buffer overflow vulnerability
| exists in PJNATH ICE Session when processing credentials with
| excessively long usernames.
CVE-2026-41415[2]:
| PJSIP is a free and open source multimedia communication library
| written in C. In 2.16 and earlier, there is an out-of-bounds read
| when parsing a malformed Content-ID URI in SIP multipart message
| body. Insufficient length validation can cause reads beyond the
| intended buffer bounds. This vulnerability is fixed in 2.17.
CVE-2026-40614[3]:
| PJSIP is a free and open source multimedia communication library
| written in C. In 2.16 and earlier, there is a buffer overflow when
| decoding Opus audio frames due to insufficient buffer size
| validation in the Opus codec decode path. The FEC decode buffers
| (dec_frame[].buf) were allocated based on a PCM-derived formula:
| (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields
| only 960 bytes, but codec_parse() can output encoded frames up to
| MAX_ENCODED_PACKET_SIZE (1280) bytes via
| opus_repacketizer_out_range(). The three pj_memcpy() calls in
| codec_decode() copied input->size bytes without bounds checking,
| causing a heap buffer overflow.
CVE-2026-40892[4]:
| PJSIP is a free and open source multimedia communication library
| written in C. In 2.16 and earlier, a stack buffer overflow exists in
| pjsip_auth_create_digest2() in PJSIP when using pre-computed digest
| credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential
| data using cred_info->data.slen as the length without an upper-bound
| check, which can overflow the fixed-size ha1 stack buffer (128
| bytes) if data.slen exceeds the expected digest string length.
CVE-2026-41416[5]:
| PJSIP is a free and open source multimedia communication library
| written in C. In 2.16 and earlier, there is an integer overflow in
| media stream buffer size calculation when processing SDP with
| asymmetric ptime configuration. The overflow may result in an
| undersized buffer allocation, which can lead to unexpected
| application termination or memory corruption This vulnerability is
| fixed in 2.17.
CVE-2026-26203[6]:
| PJSIP is a free and open source multimedia communication library.
| Versions prior to 2.17 have a critical heap buffer underflow
| vulnerability in PJSIP's H.264 packetizer. The bug occurs when
| processing malformed H.264 bitstreams without NAL unit start codes,
| where the packetizer performs unchecked pointer arithmetic that can
| read from memory located before the allocated buffer. Version 2.17
| contains a patch for the issue.
CVE-2026-26967[7]:
| PJSIP is a free and open source multimedia communication library
| written in C. In versions 2.16 and below, there is a critical Heap-
| based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer.
| The bug occurs when processing malformed SRTP packets, where the
| unpacketizer reads a 2-byte NAL unit size field without validating
| that both bytes are within the payload buffer bounds. The
| vulnerability affects applications that receive video using H.264. A
| patch is available at https://github.com/pjsip/pjproject/commit/f821
| c214e52b11bae11e4cd3c7f0864538fb5491.
CVE-2026-32942[8]:
| PJSIP is a free and open source multimedia communication library
| written in C. Versions 2.16 and below contain a heap use-after-free
| vulnerability in the ICE session that occurs when there are race
| conditions between session destruction and the callbacks. This issue
| has been fixed in version 2.17.
CVE-2026-28799[9]:
| PJSIP is a free and open source multimedia communication library
| written in C. Prior to version 2.17, a heap use-after-free
| vulnerability exists in PJSIP's event subscription framework
| (evsub.c) that is triggered during presence unsubscription
| (SUBSCRIBE with Expires=0). This issue has been patched in version
| 2.17.
CVE-2026-29068[10]:
| PJSIP is a free and open source multimedia communication library
| written in C. Prior to version 2.17, there is a stack buffer
| overflow vulnerability when pjmedia-codec parses an RTP payload
| contain more frames than the caller-provided frames can hold. This
| issue has been patched in version 2.17.
CVE-2026-32945[11]:
| PJSIP is a free and open source multimedia communication library
| written in C. Versions 2.16 and below have a Heap-based Buffer
| Overflowvulnerability in the DNS parser's name length handler.
| Thisimpacts applications using PJSIP's built-in DNS resolver, such
| as those configured with pjsua_config.nameserver or
| UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who
| rely on the OS resolver (e.g., getaddrinfo()) by not configuring a
| nameserver, or those using an external resolver via
| pjsip_resolver_set_ext_resolver(). This issue is fixed in version
| 2.17. For users unable to upgrade, a workaround is to disable DNS
| resolution in the PJSIP config (by setting nameserver_count to zero)
| or to use an external resolver implementation instead.
CVE-2026-33069[12]:
| PJSIP is a free and open source multimedia communication library
| written in C. Versions 2.16 and below have a cascading out-of-bounds
| heap read in pjsip_multipart_parse(). After boundary string
| matching, curptr is advanced past the delimiter without verifying it
| has not reached the buffer end. This allows 1-2 bytes of adjacent
| heap memory to be read. All applications that process incoming SIP
| messages with multipart bodies or SDP content are potentially
| affected. This issue is resolved in version 2.17.
CVE-2026-34235[13]:
| PJSIP is a free and open source multimedia communication library
| written in C. Prior to version 2.17, a heap out-of-bounds read
| vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs
| when parsing crafted VP9 Scalability Structure (SS) data.
| Insufficient bounds checking on the payload descriptor length may
| cause reads beyond the allocated RTP payload buffer. This issue has
| been patched in version 2.17. A workaround for this issue involves
| disabling VP9 codec if not needed.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-65102
https://www.cve.org/CVERecord?id=CVE-2025-65102
[1] https://security-tracker.debian.org/tracker/CVE-2026-25994
https://www.cve.org/CVERecord?id=CVE-2026-25994
[2] https://security-tracker.debian.org/tracker/CVE-2026-41415
https://www.cve.org/CVERecord?id=CVE-2026-41415
[3] https://security-tracker.debian.org/tracker/CVE-2026-40614
https://www.cve.org/CVERecord?id=CVE-2026-40614
[4] https://security-tracker.debian.org/tracker/CVE-2026-40892
https://www.cve.org/CVERecord?id=CVE-2026-40892
[5] https://security-tracker.debian.org/tracker/CVE-2026-41416
https://www.cve.org/CVERecord?id=CVE-2026-41416
[6] https://security-tracker.debian.org/tracker/CVE-2026-26203
https://www.cve.org/CVERecord?id=CVE-2026-26203
[7] https://security-tracker.debian.org/tracker/CVE-2026-26967
https://www.cve.org/CVERecord?id=CVE-2026-26967
[8] https://security-tracker.debian.org/tracker/CVE-2026-32942
https://www.cve.org/CVERecord?id=CVE-2026-32942
[9] https://security-tracker.debian.org/tracker/CVE-2026-28799
https://www.cve.org/CVERecord?id=CVE-2026-28799
[10] https://security-tracker.debian.org/tracker/CVE-2026-29068
https://www.cve.org/CVERecord?id=CVE-2026-29068
[11] https://security-tracker.debian.org/tracker/CVE-2026-32945
https://www.cve.org/CVERecord?id=CVE-2026-32945
[12] https://security-tracker.debian.org/tracker/CVE-2026-33069
https://www.cve.org/CVERecord?id=CVE-2026-33069
[13] https://security-tracker.debian.org/tracker/CVE-2026-34235
https://www.cve.org/CVERecord?id=CVE-2026-34235
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-voip-maintainers
mailing list