Buffer Overflow in PJSIP Audio Codec Affects Multimedia Communication Software
CVE-2026-40614

8.5HIGH

Key Information:

Vendor: Pjsip
Status: Pjproject
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40614?

The PJSIP library, used for multimedia communication, contains a vulnerability that allows a buffer overflow during the decoding of Opus audio frames. This issue is due to insufficient validation of buffer sizes when processing audio data, specifically in the codec_decode function. The output buffer is allocated based on a formula that does not account for maximum encoded frame sizes, which can lead to copying more data than the allocated buffer can hold. This flaw exposes the system to potential exploitation, allowing adversaries to cause crashes or introduce malicious code.

Affected Version(s)

pjproject <= 2.16

References

https://github.com/pjsip/pjproject/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/pjsip/pjproject/commit/17897e835818f8e...

x_refsource_MISC

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 14, 2026

CVE-2026-40614 Data

JSON

Pjsip

What is CVE-2026-40614?

Affected Version(s)

References

CVSS V4

Timeline