Cascading Out-of-Bounds Heap Read in PJSIP Library by PJSIP
CVE-2026-33069

6.9MEDIUM

Key Information:

Vendor: Pjsip
Status: Pjproject
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-33069?

A cascading out-of-bounds heap read vulnerability exists in the PJSIP library, affecting versions 2.16 and below. This flaw arises in the pjsip_multipart_parse() function, where improper boundary string matching allows the pointer to advance past the delimiter without validating the buffer's end. Consequently, adjacent heap memory can be unintentionally read, posing a risk to applications processing SIP messages with multipart bodies or SDP content. The issue has been addressed in version 2.17, which mitigates this vulnerability.

Affected Version(s)

pjproject < 2.17

References

https://github.com/pjsip/pjproject/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/pjsip/pjproject/commit/f0fa32a226df5f8...

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33069 Data

JSON

Pjsip

What is CVE-2026-33069?

Affected Version(s)

References

CVSS V4

Timeline