CVE-2021-43845 – CVE-2021-43845 is an out-of-bounds read vulnera... (How to Fix)

Q: What is the severity of CVE-2021-43845?

CVE-2021-43845 has a CVSS score of 8.2 (HIGH). CVE-2021-43845 is an out-of-bounds read vulnerability in PJSIP multimedia communication library versions 2.11.1 and earlier. A malicious actor can send specially crafted RTCP XR messages with invalid packet sizes, potentially causing memory corruption or information disclosure. This affects all users of PJMEDIA with RTCP XR functionality enabled.

📋 TL;DR

CVE-2021-43845 is an out-of-bounds read vulnerability in PJSIP multimedia communication library versions 2.11.1 and earlier. A malicious actor can send specially crafted RTCP XR messages with invalid packet sizes, potentially causing memory corruption or information disclosure. This affects all users of PJMEDIA with RTCP XR functionality enabled.

💻 Affected Systems

Products:

PJSIP (pjproject)
Any software using PJSIP library

Versions: 2.11.1 and earlier

Operating Systems: All platforms running PJSIP

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with PJMEDIA and RTCP XR functionality enabled. Many VoIP and multimedia applications use PJSIP.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, though out-of-bounds read typically results in information disclosure or denial of service.

🟠

Likely Case

Application crash leading to denial of service, or information disclosure from memory contents.

🟢

If Mitigated

Minimal impact if proper network segmentation and input validation are in place.

🌐 Internet-Facing: HIGH - RTCP XR messages can be sent remotely without authentication to internet-facing services using PJSIP.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but requires network access to vulnerable services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Sending malformed RTCP XR packets requires minimal technical skill.

The vulnerability is in the parsing logic, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.12 and later

Vendor Advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-r374-qrwv-86hh

Restart Required: Yes

Instructions:

1. Update PJSIP to version 2.12 or later. 2. Recompile any applications using PJSIP. 3. Restart affected services.

🔧 Temporary Workarounds

Disable RTCP XR

all

Disable RTCP XR functionality if not required.

Configure PJSIP to disable RTCP XR in application settings

Network filtering

linux

Block or filter RTCP XR packets at network perimeter.

iptables -A INPUT -p udp --dport [rtcp-port] -m string --hex-string '|52544350|' --algo bm -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems
Deploy intrusion detection systems to monitor for malformed RTCP packets

🔍 How to Verify

Check if Vulnerable:

Check PJSIP version and verify RTCP XR is enabled in configuration.

Check Version:

pjsua --version or check library version in application

Verify Fix Applied:

Verify PJSIP version is 2.12 or later and test with valid RTCP XR packets.

📡 Detection & Monitoring

Log Indicators:

Application crashes
Memory access violation errors
Unexpected RTCP packet processing errors

Network Indicators:

Malformed RTCP XR packets
Unusual RTCP traffic patterns

SIEM Query:

source="*pjsip*" AND (error OR crash OR "out of bounds" OR "memory violation")

📊 Metadata

CVE ID: CVE-2021-43845

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

CWE: CWE-125

Published: December 27, 2021

Last Updated: November 4, 2025

🔗 References

https://github.com/pjsip/pjproject/commit/f74c1fc22b760d2a24369aa72c74c4a9ab985859 Patch,Third Party Advisory
https://github.com/pjsip/pjproject/pull/2924 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/pjsip/pjproject/security/advisories/GHSA-r374-qrwv-86hh Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
https://security.gentoo.org/glsa/202210-37 Third Party Advisory
https://www.debian.org/security/2022/dsa-5285 Third Party Advisory
https://github.com/pjsip/pjproject/commit/f74c1fc22b760d2a24369aa72c74c4a9ab985859 Patch,Third Party Advisory
https://github.com/pjsip/pjproject/pull/2924 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/pjsip/pjproject/security/advisories/GHSA-r374-qrwv-86hh Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html
https://security.gentoo.org/glsa/202210-37 Third Party Advisory
https://www.debian.org/security/2022/dsa-5285 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43845, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Pjsip by Teluu

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable RTCP XR

Network filtering

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities