CVE-2025-65102
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-11-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pjsip | pjsip | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in PJSIP versions prior to 2.16 when using the Opus audio codec in the receiving direction. The issue is that Opus Packet Loss Concealment (PLC) may zero-fill the input frame based on the decoder's packet time (ptime), but the actual input frame length is based on the stream's ptime, which can be shorter. This mismatch can cause a memory overwrite, potentially leading to unexpected application termination.
How can this vulnerability impact me? :
The vulnerability can cause unexpected application termination due to memory overwrite when using the Opus codec in PJSIP. This could lead to denial of service or instability in applications relying on PJSIP for multimedia communication.
What immediate steps should I take to mitigate this vulnerability?
Upgrade PJSIP to version 2.16 or later, as this version contains the patch that fixes the vulnerability related to the Opus audio codec. Avoid using vulnerable versions prior to 2.16 to prevent unexpected application termination due to memory overwrite.