Heap-based Buffer Overflow in PJSIP Open Source Multimedia Communication Library
CVE-2026-32945

8.4HIGH

Key Information:

Vendor: Pjsip
Status: Pjproject
Vendor: CVE Published:; 20 March 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-32945?

The PJSIP multimedia communication library has a vulnerability related to a heap-based buffer overflow in the DNS parser's name length handler. This issue impacts applications using PJSIP's integrated DNS resolver, which is configured through pjsua_config.nameserver or UaConfig.nameserver settings. Users benefiting from the operating system’s resolver without specific name server configurations, or those utilizing an external resolver, remain unaffected. The vulnerability is addressed in PJSIP version 2.17. For those unable to upgrade, disabling DNS resolution by setting nameserver_count to zero or employing an external DNS resolver is recommended as a temporary workaround.

Affected Version(s)

pjproject < 2.17

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-32945
Created by JohannesLks

References

https://github.com/pjsip/pjproject/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/pjsip/pjproject/commit/5311aee398ae9d6...

x_refsource_MISC

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 7, 2026
👾
Exploit known to exist
Apr 7, 2026
Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-32945 Data

JSON

Pjsip

Badges

What is CVE-2026-32945?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline