CVE-2026-33069 in pjproject
Summary
by MITRE • 03/20/2026
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/30/2026
The vulnerability CVE-2026-33069 affects PJSIP, a widely-used open-source multimedia communication library implemented in C for handling SIP protocol communications. This library serves as a foundational component for numerous VoIP applications and communication systems, making the security implications particularly significant. The flaw exists within the pjsip_multipart_parse() function which processes incoming SIP messages containing multipart bodies or SDP content. The issue manifests as a cascading out-of-bounds heap read condition that occurs during the parsing of boundary strings within multipart content. This type of vulnerability falls under CWE-125, which specifically addresses out-of-bounds read conditions in software systems. The vulnerability is particularly concerning because it affects versions 2.16 and below, representing a substantial portion of deployments that rely on this library for their communication infrastructure.
The technical flaw occurs when the boundary string matching process advances the curptr pointer past the delimiter without first verifying that the pointer has not reached the end of the available buffer. This pointer arithmetic error creates a scenario where the application attempts to read 1-2 bytes of adjacent heap memory beyond the intended buffer boundaries. The heap memory access pattern suggests that attackers could potentially leverage this vulnerability to extract sensitive information from adjacent memory regions, including cryptographic keys, session tokens, or other confidential data stored in the application's memory space. The vulnerability is classified as a heap-based buffer overflow condition that operates at the boundary between legitimate memory access and unauthorized memory reading. This type of memory corruption vulnerability can be categorized under the ATT&CK framework as T1059.007, representing a technique for executing commands through code injection in memory, though in this case it manifests as information disclosure rather than code execution.
The operational impact of this vulnerability extends across all applications utilizing PJSIP for processing incoming SIP messages that contain multipart bodies or SDP content. Given that SIP is fundamental to VoIP communications, this affects a broad spectrum of communication systems including enterprise PBX systems, VoIP phones, SIP trunks, and various unified communications platforms. The vulnerability is particularly dangerous because it requires no special privileges to exploit, making it accessible to attackers who can simply send malformed SIP messages to the affected systems. Applications that process incoming SIP messages without proper input validation are at risk, including servers, gateways, and proxy implementations that handle multipart content during media negotiation or session establishment processes. The 1-2 bytes of heap memory read may not seem significant, but in the context of memory layout and typical application behavior, this can expose sensitive information that could be leveraged for further attacks. The vulnerability's resolution in version 2.17 demonstrates that the PJSIP development team has addressed the core issue through proper boundary checking and pointer validation mechanisms.
Mitigation strategies should focus on immediate deployment of PJSIP version 2.17 or later, which contains the necessary fixes to prevent the out-of-bounds heap read condition. Organizations should also implement network-level filtering to detect and block malformed SIP messages that could trigger this vulnerability. Additional defensive measures include implementing proper input validation at multiple layers of the communication stack, monitoring for unusual patterns in heap memory access, and conducting regular security assessments of SIP-based systems. The fix implemented in version 2.17 should include proper bounds checking before advancing pointers during boundary string processing, ensuring that memory access operations remain within allocated buffer boundaries. Security teams should also consider implementing intrusion detection systems specifically tuned to detect patterns associated with this type of heap-based memory access anomaly, as these systems can provide early warning of potential exploitation attempts. The vulnerability serves as a reminder of the critical importance of proper memory management in C-based applications, particularly in network-facing components that process untrusted input data.