Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for pjmedia-video by pjsip

    CVE-2026-26203 (GCVE-0-2026-26203)

    Vulnerability from nvd – Published: 2026-02-19 19:28 – Updated: 2026-02-19 21:22
    VLAI
    Title
    PJSIP's pjmedia-video has use-after-free in H264 packetizer when packetizing fragmented NAL
    Summary
    PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    pjsip pjmedia-video Affected: < 2.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-26203",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-19T21:15:30.623967Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-19T21:22:31.050Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pjmedia-video",
              "vendor": "pjsip",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP\u0027s H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-19T19:28:58.859Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pjsip/pjproject/security/advisories/GHSA-p965-mf7j-gwv8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-p965-mf7j-gwv8"
            },
            {
              "name": "https://github.com/pjsip/pjproject/commit/5aee54f09d4f91538d55279d7316591b28fded6c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pjsip/pjproject/commit/5aee54f09d4f91538d55279d7316591b28fded6c"
            }
          ],
          "source": {
            "advisory": "GHSA-p965-mf7j-gwv8",
            "discovery": "UNKNOWN"
          },
          "title": "PJSIP\u0027s pjmedia-video has use-after-free in H264 packetizer when packetizing fragmented NAL"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-26203",
        "datePublished": "2026-02-19T19:28:58.859Z",
        "dateReserved": "2026-02-11T19:56:24.814Z",
        "dateUpdated": "2026-02-19T21:22:31.050Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-26203 (GCVE-0-2026-26203)

    Vulnerability from cvelistv5 – Published: 2026-02-19 19:28 – Updated: 2026-02-19 21:22
    VLAI
    Title
    PJSIP's pjmedia-video has use-after-free in H264 packetizer when packetizing fragmented NAL
    Summary
    PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    pjsip pjmedia-video Affected: < 2.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-26203",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-19T21:15:30.623967Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-19T21:22:31.050Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pjmedia-video",
              "vendor": "pjsip",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP\u0027s H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-19T19:28:58.859Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pjsip/pjproject/security/advisories/GHSA-p965-mf7j-gwv8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-p965-mf7j-gwv8"
            },
            {
              "name": "https://github.com/pjsip/pjproject/commit/5aee54f09d4f91538d55279d7316591b28fded6c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pjsip/pjproject/commit/5aee54f09d4f91538d55279d7316591b28fded6c"
            }
          ],
          "source": {
            "advisory": "GHSA-p965-mf7j-gwv8",
            "discovery": "UNKNOWN"
          },
          "title": "PJSIP\u0027s pjmedia-video has use-after-free in H264 packetizer when packetizing fragmented NAL"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-26203",
        "datePublished": "2026-02-19T19:28:58.859Z",
        "dateReserved": "2026-02-11T19:56:24.814Z",
        "dateUpdated": "2026-02-19T21:22:31.050Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }