CVE-2021-43804 in PJSIPinfo

Summary

by MITRE • 12/22/2021

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming RTCP BYE message contains a reason's length, this declared length is not checked against the actual received packet size, potentially resulting in an out-of-bound read access. This issue affects all users that use PJMEDIA and RTCP. A malicious actor can send a RTCP BYE message with an invalid reason length. Users are advised to upgrade as soon as possible. There are no known workarounds.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 11/04/2025

The vulnerability identified as CVE-2021-43804 resides within PJSIP, a widely-used open-source multimedia communication library that implements standard protocols including SIP, SDP, RTP, STUN, TURN, and ICE. This library serves as a foundational component for numerous VoIP and real-time communication applications, making its security implications particularly significant. The flaw manifests specifically within the RTCP (Real-time Transport Control Protocol) processing functionality, which is essential for managing media streams and providing quality control in real-time communication systems. The vulnerability affects all users of PJMEDIA who utilize RTCP functionality, creating a potential attack surface that could compromise the stability and security of communication applications relying on this library.

The technical nature of this vulnerability stems from inadequate input validation within the RTCP BYE message processing logic. When PJSIP receives an incoming RTCP BYE message, it attempts to parse the reason field, which contains a length indicator specifying how much data follows. The flaw occurs because the library fails to validate whether the declared reason length in the packet actually corresponds to the available data within the received packet. This missing bounds checking creates an out-of-bounds read condition that can be exploited by malicious actors. The vulnerability specifically targets the memory access pattern when processing the reason field, where the application reads beyond the allocated buffer boundaries based on the attacker-controlled length value, potentially exposing sensitive memory contents or causing application crashes.

The operational impact of this vulnerability extends beyond simple denial-of-service scenarios, as it represents a potential information disclosure risk that could expose sensitive data from the application's memory space. An attacker capable of sending crafted RTCP BYE messages to a vulnerable system could trigger the out-of-bounds read condition, potentially accessing arbitrary memory locations and extracting confidential information. This type of vulnerability falls under the Common Weakness Enumeration category of CWE-129, which addresses insufficient validation of length of input data, and more specifically aligns with CWE-125, which covers out-of-bounds read conditions. The attack vector requires the ability to send RTCP BYE messages to the target system, which is feasible in network environments where RTCP traffic is processed, particularly in VoIP systems, video conferencing applications, and other real-time communication platforms using PJSIP.

From an adversarial perspective, this vulnerability maps to several techniques within the MITRE ATT&CK framework, particularly those related to initial access and privilege escalation through protocol manipulation. The ability to send malicious RTCP BYE messages represents a network-level attack that could be executed from any location where the target system accepts RTCP traffic, potentially including public-facing VoIP servers, enterprise communication systems, or unified communications platforms. The lack of known workarounds means that organizations cannot implement temporary fixes while awaiting patches, making this vulnerability particularly dangerous in production environments. The vulnerability's impact is amplified by the widespread adoption of PJSIP across various communication platforms, meaning that a successful exploitation could affect numerous applications and systems simultaneously, potentially compromising entire communication infrastructures.

Organizations utilizing PJSIP should prioritize immediate upgrade to the patched version to mitigate this vulnerability. The recommended mitigation strategy involves upgrading to the latest stable release of PJSIP that includes the necessary input validation fixes for RTCP BYE message processing. System administrators should also consider implementing network-level monitoring to detect and potentially block anomalous RTCP traffic patterns that could indicate exploitation attempts. Additionally, organizations should conduct comprehensive vulnerability assessments to identify all systems and applications that depend on vulnerable versions of PJSIP, ensuring that the upgrade process is coordinated across the entire communication infrastructure. Security teams should monitor for any reports of exploitation attempts and maintain situational awareness regarding potential attacks targeting this specific vulnerability in their environments.

Responsible

GitHub, Inc.

Reservation

11/16/2021

Disclosure

12/22/2021

Moderation

accepted

CPE

ready

EPSS

0.02192

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!