Bug#1135620: asterisk: CVE-2025-65102
Moritz Mühlenhoff
jmm at inutil.org
Sun May 3 17:34:51 BST 2026
Source: asterisk
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for asterisk.
CVE-2025-65102[0]:
| PJSIP is a free and open source multimedia communication library.
| Prior to version 2.16, Opus PLC may zero-fill the input frame as
| long as the decoder ptime, while the input frame length, which is
| based on stream ptime, may be less than that. This issue affects
| PJSIP users who use the Opus audio codec in receiving direction. The
| vulnerability can lead to unexpected application termination due to
| a memory overwrite. This issue has been patched in version 2.16.
https://github.com/pjsip/pjproject/security/advisories/GHSA-w5vr-39x7-h8g5
https://github.com/pjsip/pjproject/commit/6e9bd2e7d25bba26f852771b40693f45da14fa8f
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-65102
https://www.cve.org/CVERecord?id=CVE-2025-65102
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-voip-maintainers
mailing list