CVE-2022-21722 – CVE-2022-21722 is an out-of-bounds read vulnera... (How to Fix)

Q: What is the severity of CVE-2022-21722?

CVE-2022-21722 has a CVSS score of 9.1 (CRITICAL). CVE-2022-21722 is an out-of-bounds read vulnerability in PJSIP multimedia communication library affecting versions 2.11.1 and prior. This allows attackers to potentially read sensitive memory contents or cause denial of service by sending specially crafted RTP/RTCP packets. All users who use PJMEDIA and accept incoming RTP/RTCP traffic are affected.

📋 TL;DR

CVE-2022-21722 is an out-of-bounds read vulnerability in PJSIP multimedia communication library affecting versions 2.11.1 and prior. This allows attackers to potentially read sensitive memory contents or cause denial of service by sending specially crafted RTP/RTCP packets. All users who use PJMEDIA and accept incoming RTP/RTCP traffic are affected.

💻 Affected Systems

Products:

PJSIP
pjproject
applications using PJSIP library

Versions: 2.11.1 and prior

Operating Systems: All operating systems running affected PJSIP versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using PJMEDIA with incoming RTP/RTCP enabled. VoIP systems, SIP servers, and multimedia applications are particularly vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, though out-of-bounds read typically results in information disclosure or crash.

🟠

Likely Case

Denial of service causing service disruption or information disclosure through memory leaks.

🟢

If Mitigated

Limited impact with proper network segmentation and packet filtering in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted RTP/RTCP packets to vulnerable endpoints. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Master branch commit 22af44e68a0c7d190ac1e25075e1382f77e9397a and later

Vendor Advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36

Restart Required: Yes

Instructions:

1. Update to latest PJSIP version from master branch. 2. Recompile applications using PJSIP. 3. Restart affected services. 4. Verify patch application with version check.

🔧 Temporary Workarounds

Network segmentation and filtering

linux

Restrict RTP/RTCP traffic to trusted sources only using firewall rules

iptables -A INPUT -p udp --dport 16384:32768 -s trusted_ip -j ACCEPT
iptables -A INPUT -p udp --dport 16384:32768 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems
Deploy intrusion detection/prevention systems to monitor for anomalous RTP/RTCP traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check PJSIP version: pkg-config --modversion pjproject or examine application dependencies

Check Version:

pkg-config --modversion pjproject || grep 'PJ_VERSION' in source code

Verify Fix Applied:

Verify version is newer than 2.11.1 or includes commit 22af44e68a0c7d190ac1e25075e1382f77e9397a

📡 Detection & Monitoring

Log Indicators:

Application crashes
Memory access violation errors
Unusual RTP/RTCP packet size logs

Network Indicators:

Malformed RTP/RTCP packets
Unusual traffic patterns to RTP ports

SIEM Query:

source="application_logs" AND ("segmentation fault" OR "out of bounds" OR "memory violation")

📊 Metadata

CVE ID: CVE-2022-21722

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: January 27, 2022

Last Updated: November 4, 2025

🔗 References

https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a Patch,Third Party Advisory
https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
https://security.gentoo.org/glsa/202210-37 Third Party Advisory
https://www.debian.org/security/2022/dsa-5285 Third Party Advisory
https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a Patch,Third Party Advisory
https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html
https://security.gentoo.org/glsa/202210-37 Third Party Advisory
https://www.debian.org/security/2022/dsa-5285 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21722, you might also want to check these: