CVE-2026-25994
📋 TL;DR
A buffer overflow vulnerability in PJSIP's PJNATH ICE Session component allows attackers to execute arbitrary code or cause denial of service by sending credentials with excessively long usernames. This affects all systems using PJSIP library versions 2.16 and earlier for multimedia communication. Applications using PJSIP for VoIP, video conferencing, or real-time communication are vulnerable.
💻 Affected Systems
- PJSIP (pjproject)
- Any software using PJSIP library
📦 What is this software?
Pjsip by Pjsip
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or persistent backdoor installation.
Likely Case
Denial of service causing application crashes, service disruption, or system instability.
If Mitigated
Application crash with limited impact if proper segmentation and privilege separation are implemented.
🎯 Exploit Status
Exploitation requires sending specially crafted credentials to the ICE session. No public exploit code is available as of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.17 or later, or apply commit 063b3a155f163cc5a9a1df2c56b6720fd3a0dbb0
Vendor Advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-j29p-pvh2-pvqp
Restart Required: Yes
Instructions:
1. Update to PJSIP version 2.17 or later. 2. Alternatively, apply the specific fix commit 063b3a155f163cc5a9a1df2c56b6720fd3a0dbb0. 3. Recompile and redeploy all applications using PJSIP. 4. Restart affected services.
🔧 Temporary Workarounds
Input Validation for Usernames
allImplement application-level validation to reject credentials with usernames exceeding reasonable length (e.g., > 256 characters).
Disable ICE Functionality
allIf ICE is not required, disable PJNATH ICE session functionality in PJSIP configuration.
# In pjproject configuration, set PJ_ICE_MAX_CAND to 0 or disable ICE entirely
🧯 If You Can't Patch
- Implement network segmentation to isolate PJSIP services from critical systems.
- Deploy Web Application Firewall (WAF) rules to block excessively long username fields in SIP/ICE traffic.
🔍 How to Verify
Check if Vulnerable:
Check PJSIP version: pjsua --version or examine library version in application. If version is 2.16 or earlier and ICE is enabled, system is vulnerable.Check Version:
pjsua --version 2>&1 | grep -i version || strings /path/to/pjsip/library | grep -i "pjlib version"Verify Fix Applied:
Verify version is 2.17 or later, or confirm commit 063b3a155f163cc5a9a1df2c56b6720fd3a0dbb0 is applied in source code.📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults
- ICE session errors with long username fields
- Memory corruption warnings in system logs
Network Indicators:
- SIP/ICE packets with username fields exceeding normal length (>500 characters)
- Multiple connection attempts with varying long usernames
SIEM Query:
source="*pjsip*" AND ("segmentation fault" OR "buffer overflow" OR "ICE error")