CVE-2026-28799 in pjproject
Summary
by MITRE • 03/06/2026
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has been patched in version 2.17.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/12/2026
The heap use-after-free vulnerability identified as CVE-2026-28799 affects PJSIP version 2.16 and earlier, representing a critical security flaw within the multimedia communication library's event subscription framework. This vulnerability specifically manifests in the evsub.c component when processing presence unsubscription requests, where a client sends a SUBSCRIBE message with Expires=0 to terminate a subscription. The flaw arises from improper memory management during the cleanup process of subscription objects, creating a scenario where freed memory locations are accessed or reused before proper deallocation, leading to potential arbitrary code execution or system instability.
The technical implementation of this vulnerability stems from the event subscription framework's handling of memory allocation and deallocation patterns during subscription lifecycle management. When a SUBSCRIBE request with Expires=0 is processed, the system attempts to free memory associated with the subscription object while simultaneously maintaining references to that same memory location. This race condition or improper memory management pattern creates a use-after-free condition that can be exploited by remote attackers to manipulate heap memory contents. The vulnerability directly maps to CWE-416, which defines use-after-free conditions as a critical class of memory safety issues where program memory is accessed after it has been freed, potentially allowing attackers to execute malicious code or cause denial of service.
From an operational perspective, this vulnerability presents significant risk to organizations relying on PJSIP for real-time communication services, particularly those implementing presence subscription mechanisms for monitoring user availability. Attackers could exploit this flaw to gain unauthorized access to systems, execute arbitrary code with the privileges of the affected application, or cause service disruption through controlled memory corruption. The impact extends beyond simple denial of service as the use-after-free condition may allow for more sophisticated attacks including privilege escalation or data exfiltration depending on the execution environment and available memory layout. The vulnerability affects the core communication infrastructure, potentially compromising the security posture of VoIP systems, instant messaging platforms, and unified communications deployments that depend on PJSIP's event subscription capabilities.
Security mitigation for CVE-2026-28799 requires immediate implementation of the vendor-provided patch available in PJSIP version 2.17 and subsequent releases. Organizations should conduct comprehensive vulnerability assessments to identify systems running affected versions of PJSIP and prioritize patch deployment across all production environments. Network segmentation and monitoring should be implemented to detect potential exploitation attempts, particularly focusing on SUBSCRIBE message patterns with Expires=0 parameters. The ATT&CK framework categorizes this vulnerability under T1203, which covers legitimate credentials and T1059 for command and scripting interpreter, as exploitation may involve command execution through compromised memory. Additional defensive measures include implementing application whitelisting, restricting network access to communication services, and establishing continuous monitoring for anomalous subscription behavior that could indicate exploitation attempts. Regular security updates and vulnerability management processes should be reinforced to prevent similar issues in other components of the communication stack, ensuring that the security posture remains resilient against evolving threats targeting multimedia communication libraries.