CVE-2026-26967
📋 TL;DR
A critical heap-based buffer overflow vulnerability in PJSIP's H.264 unpacketizer allows remote attackers to execute arbitrary code or cause denial of service by sending specially crafted SRTP packets. This affects all applications using PJSIP versions 2.16 and below that receive H.264 video streams. The vulnerability is exploitable without authentication when video functionality is enabled.
💻 Affected Systems
- PJSIP (pjproject)
- Any application/library using PJSIP for multimedia communication
📦 What is this software?
Pjsip by Pjsip
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or persistent backdoor installation.
Likely Case
Denial of service causing application crashes, service disruption, or potential information disclosure via memory leaks.
If Mitigated
Limited impact with proper network segmentation and exploit mitigations like ASLR/DEP, though service disruption remains possible.
🎯 Exploit Status
Exploitation requires sending malformed SRTP packets to the H.264 unpacketizer. The advisory is public but no known exploits are circulating.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit f821c214e52b11bae11e4cd3c7f0864538fb5491
Vendor Advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-x2hc-6969-g8v6
Restart Required: Yes
Instructions:
1. Update to latest PJSIP version from GitHub. 2. Apply commit f821c214e52b11bae11e4cd3c7f0864538fb5491. 3. Recompile and redeploy affected applications. 4. Restart all services using PJSIP.
🔧 Temporary Workarounds
Disable H.264 video
allDisable H.264 video codec support in PJSIP configuration
Modify pjmedia config to remove H.264 from codec list
Network filtering
linuxBlock or filter SRTP packets at network perimeter
iptables -A INPUT -p udp --dport 5061 -j DROP (for SIP TLS)
Configure firewall to block video RTP streams
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PJSIP services from untrusted networks
- Enable exploit mitigations (ASLR, DEP, stack canaries) and monitor for crash events
🔍 How to Verify
Check if Vulnerable:
Check PJSIP version and verify if H.264 is enabled in codec configurationCheck Version:
pjsua --version or check pjlib version in application logsVerify Fix Applied:
Verify the commit f821c214e52b11bae11e4cd3c7f0864538fb5491 is present in your build📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults
- Memory corruption errors in logs
- Unexpected termination of PJSIP processes
Network Indicators:
- Malformed SRTP packets to H.264 ports
- Unusual video stream patterns
- Traffic spikes to video ports
SIEM Query:
source="*pjsip*" AND ("segmentation fault" OR "buffer overflow" OR "SIGSEGV")