Bug#1134884: asterisk: CVE-2025-65102 CVE-2026-25994 CVE-2026-41415 CVE-2026-40614 CVE-2026-40892 CVE-2026-41416 CVE-2026-26203 CVE-2026-26967 CVE-2026-32942 CVE-2026-28799 CVE-2026-29068 CVE-2026-32945 CVE-2026-33069 CVE-2026-34235
Rob van der Putten
rob at sput.nl
Sun Apr 26 19:19:25 BST 2026
Hi there
On 25/04/2026 13:04, Moritz Mühlenhoff wrote:
> Source: asterisk
> X-Debbugs-CC: team at security.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> Multiple security issues were reported against pjsip and fixed
> in 2.17. Asterisk bundles 2.16 in unstable:
Is it possible that these bugs don't effect Asterisk 22.9.0?
There are a bunch of patches in the Asterisk source pjproject directory
and some of the broken pjsip 2.16 bits may not be implemented in Asterisk.
There are some references to bugs in the changelog, but unfortunately,
these are descriptions rather then CVE numbers.
> CVE-2025-65102[0]:
> | PJSIP is a free and open source multimedia communication library.
> | Prior to version 2.16, Opus PLC may zero-fill the input frame as
> | long as the decoder ptime, while the input frame length, which is
> | based on stream ptime, may be less than that. This issue affects
> | PJSIP users who use the Opus audio codec in receiving direction. The
> | vulnerability can lead to unexpected application termination due to
> | a memory overwrite. This issue has been patched in version 2.16.
>
>
> CVE-2026-25994[1]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. In 2.16 and earlier, a buffer overflow vulnerability
> | exists in PJNATH ICE Session when processing credentials with
> | excessively long usernames.
>
>
> CVE-2026-41415[2]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. In 2.16 and earlier, there is an out-of-bounds read
> | when parsing a malformed Content-ID URI in SIP multipart message
> | body. Insufficient length validation can cause reads beyond the
> | intended buffer bounds. This vulnerability is fixed in 2.17.
>
>
> CVE-2026-40614[3]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. In 2.16 and earlier, there is a buffer overflow when
> | decoding Opus audio frames due to insufficient buffer size
> | validation in the Opus codec decode path. The FEC decode buffers
> | (dec_frame[].buf) were allocated based on a PCM-derived formula:
> | (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields
> | only 960 bytes, but codec_parse() can output encoded frames up to
> | MAX_ENCODED_PACKET_SIZE (1280) bytes via
> | opus_repacketizer_out_range(). The three pj_memcpy() calls in
> | codec_decode() copied input->size bytes without bounds checking,
> | causing a heap buffer overflow.
>
>
> CVE-2026-40892[4]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. In 2.16 and earlier, a stack buffer overflow exists in
> | pjsip_auth_create_digest2() in PJSIP when using pre-computed digest
> | credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential
> | data using cred_info->data.slen as the length without an upper-bound
> | check, which can overflow the fixed-size ha1 stack buffer (128
> | bytes) if data.slen exceeds the expected digest string length.
>
>
> CVE-2026-41416[5]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. In 2.16 and earlier, there is an integer overflow in
> | media stream buffer size calculation when processing SDP with
> | asymmetric ptime configuration. The overflow may result in an
> | undersized buffer allocation, which can lead to unexpected
> | application termination or memory corruption This vulnerability is
> | fixed in 2.17.
>
>
> CVE-2026-26203[6]:
> | PJSIP is a free and open source multimedia communication library.
> | Versions prior to 2.17 have a critical heap buffer underflow
> | vulnerability in PJSIP's H.264 packetizer. The bug occurs when
> | processing malformed H.264 bitstreams without NAL unit start codes,
> | where the packetizer performs unchecked pointer arithmetic that can
> | read from memory located before the allocated buffer. Version 2.17
> | contains a patch for the issue.
>
>
> CVE-2026-26967[7]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. In versions 2.16 and below, there is a critical Heap-
> | based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer.
> | The bug occurs when processing malformed SRTP packets, where the
> | unpacketizer reads a 2-byte NAL unit size field without validating
> | that both bytes are within the payload buffer bounds. The
> | vulnerability affects applications that receive video using H.264. A
> | patch is available at https://github.com/pjsip/pjproject/commit/f821
> | c214e52b11bae11e4cd3c7f0864538fb5491.
>
>
> CVE-2026-32942[8]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. Versions 2.16 and below contain a heap use-after-free
> | vulnerability in the ICE session that occurs when there are race
> | conditions between session destruction and the callbacks. This issue
> | has been fixed in version 2.17.
>
>
> CVE-2026-28799[9]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. Prior to version 2.17, a heap use-after-free
> | vulnerability exists in PJSIP's event subscription framework
> | (evsub.c) that is triggered during presence unsubscription
> | (SUBSCRIBE with Expires=0). This issue has been patched in version
> | 2.17.
>
>
> CVE-2026-29068[10]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. Prior to version 2.17, there is a stack buffer
> | overflow vulnerability when pjmedia-codec parses an RTP payload
> | contain more frames than the caller-provided frames can hold. This
> | issue has been patched in version 2.17.
>
>
> CVE-2026-32945[11]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. Versions 2.16 and below have a Heap-based Buffer
> | Overflowvulnerability in the DNS parser's name length handler.
> | Thisimpacts applications using PJSIP's built-in DNS resolver, such
> | as those configured with pjsua_config.nameserver or
> | UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who
> | rely on the OS resolver (e.g., getaddrinfo()) by not configuring a
> | nameserver, or those using an external resolver via
> | pjsip_resolver_set_ext_resolver(). This issue is fixed in version
> | 2.17. For users unable to upgrade, a workaround is to disable DNS
> | resolution in the PJSIP config (by setting nameserver_count to zero)
> | or to use an external resolver implementation instead.
>
>
> CVE-2026-33069[12]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. Versions 2.16 and below have a cascading out-of-bounds
> | heap read in pjsip_multipart_parse(). After boundary string
> | matching, curptr is advanced past the delimiter without verifying it
> | has not reached the buffer end. This allows 1-2 bytes of adjacent
> | heap memory to be read. All applications that process incoming SIP
> | messages with multipart bodies or SDP content are potentially
> | affected. This issue is resolved in version 2.17.
>
>
> CVE-2026-34235[13]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. Prior to version 2.17, a heap out-of-bounds read
> | vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs
> | when parsing crafted VP9 Scalability Structure (SS) data.
> | Insufficient bounds checking on the payload descriptor length may
> | cause reads beyond the allocated RTP payload buffer. This issue has
> | been patched in version 2.17. A workaround for this issue involves
> | disabling VP9 codec if not needed.
>
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2025-65102
> https://www.cve.org/CVERecord?id=CVE-2025-65102
> [1] https://security-tracker.debian.org/tracker/CVE-2026-25994
> https://www.cve.org/CVERecord?id=CVE-2026-25994
> [2] https://security-tracker.debian.org/tracker/CVE-2026-41415
> https://www.cve.org/CVERecord?id=CVE-2026-41415
> [3] https://security-tracker.debian.org/tracker/CVE-2026-40614
> https://www.cve.org/CVERecord?id=CVE-2026-40614
> [4] https://security-tracker.debian.org/tracker/CVE-2026-40892
> https://www.cve.org/CVERecord?id=CVE-2026-40892
> [5] https://security-tracker.debian.org/tracker/CVE-2026-41416
> https://www.cve.org/CVERecord?id=CVE-2026-41416
> [6] https://security-tracker.debian.org/tracker/CVE-2026-26203
> https://www.cve.org/CVERecord?id=CVE-2026-26203
> [7] https://security-tracker.debian.org/tracker/CVE-2026-26967
> https://www.cve.org/CVERecord?id=CVE-2026-26967
> [8] https://security-tracker.debian.org/tracker/CVE-2026-32942
> https://www.cve.org/CVERecord?id=CVE-2026-32942
> [9] https://security-tracker.debian.org/tracker/CVE-2026-28799
> https://www.cve.org/CVERecord?id=CVE-2026-28799
> [10] https://security-tracker.debian.org/tracker/CVE-2026-29068
> https://www.cve.org/CVERecord?id=CVE-2026-29068
> [11] https://security-tracker.debian.org/tracker/CVE-2026-32945
> https://www.cve.org/CVERecord?id=CVE-2026-32945
> [12] https://security-tracker.debian.org/tracker/CVE-2026-33069
> https://www.cve.org/CVERecord?id=CVE-2026-33069
> [13] https://security-tracker.debian.org/tracker/CVE-2026-34235
> https://www.cve.org/CVERecord?id=CVE-2026-34235
>
> Please adjust the affected versions in the BTS as needed.
Regards,
Rob
More information about the Pkg-voip-maintainers
mailing list