Heap-based Buffer Overflow in PJSIP H.264 Unpacketizer
CVE-2026-26967

8.1HIGH

Key Information:

Vendor: Pjsip
Status: Pjproject
Vendor: CVE Published:; 20 February 2026

What is CVE-2026-26967?

The multimedia communication library PJSIP has a buffer overflow vulnerability in its H.264 unpacketizer, present in versions 2.16 and earlier. This flaw allows for the processing of malformed SRTP packets, where the unpacketizer reads a two-byte NAL unit size field without appropriate validation of byte bounds within the payload buffer. This situation may lead to arbitrary code execution in applications that rely on H.264 for video processing. A fix has been provided in the repository.

Affected Version(s)

pjproject < f821c214e52b11bae11e4cd3c7f0864538fb5491

References

https://github.com/pjsip/pjproject/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/pjsip/pjproject/commit/f821c214e52b11b...

x_refsource_MISC

CVSS V4

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2026
Vulnerability Reserved
Feb 16, 2026

CVE-2026-26967 Data

JSON

Pjsip

What is CVE-2026-26967?

Affected Version(s)

References

CVSS V4

Timeline