CVE-2026-32942

Description

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:* - VULNERABLE

PJSIP <= 2.16

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-32942: Race Condition in PJSIP ICE Session
 * This is a conceptual simulation to trigger the race condition.
 */
#include <pthread.h>
#include <stdlib.h>

// Simulated PJSIP structures
typedef struct {
    int active;
    void* callback_data;
} ice_session;

ice_session* session;

void* destroy_thread_func(void* arg) {
    // Simulate session destruction (freeing memory)
    free(session);
    session = NULL;
    return NULL;
}

void* callback_thread_func(void* arg) {
    // Simulate a callback happening after/during destruction
    // Introduce slight delay to increase race window
    usleep(100);
    if (session) {
        // Use-After-Free happens here if destroy_thread ran first
        printf("Callback data: %p\n", session->callback_data);
    }
    return NULL;
}

int main() {
    pthread_t t1, t2;
    session = (ice_session*)malloc(sizeof(ice_session));
    session->active = 1;

    // Create threads to simulate race condition
    pthread_create(&t1, NULL, destroy_thread_func, NULL);
    pthread_create(&t2, NULL, callback_thread_func, NULL);

    pthread_join(t1, NULL);
    pthread_join(t2, NULL);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32942
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32942
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32942/
[4] VulDB https://vuldb.com/cve/CVE-2026-32942
[5] https://github.com/pjsip/pjproject/commit/c9caceddabda7f18337b2a82d25d65f6224b450a
[6] https://github.com/pjsip/pjproject/issues/1451
[7] https://github.com/pjsip/pjproject/security/advisories/GHSA-g88q-c2hm-q7p7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32942", "sourceIdentifier": "[email protected]", "published": "2026-03-20T04:16:49.743", "lastModified": "2026-03-23T20:51:20.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17."}, {"lang": "es", "value": "PJSIP es una biblioteca de comunicación multimedia de código abierto y gratuita escrita en C. Las versiones 2.16 e inferiores contienen una vulnerabilidad de uso después de liberación en el heap en la sesión ICE que ocurre cuando hay condiciones de carrera entre la destrucción de la sesión y las devoluciones de llamada. Este problema ha sido solucionado en la versión 2.17."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.17", "matchCriteriaId": "117AFEC4-36E1-424F-B2A3-6EC94FBBDF38"}]}]}], "references": [{"url": "https://github.com/pjsip/pjproject/commit/c9caceddabda7f18337b2a82d25d65f6224b450a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pjsip/pjproject/issues/1451", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-g88q-c2hm-q7p7", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}