CVE-2026-28799
Received Received - Intake

Use-After-Free Vulnerability in PJSIP Event Subscription Framework

Vulnerability report for CVE-2026-28799, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-06

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has been patched in version 2.17.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-06
Last Modified
2026-03-10
Generated
2026-07-06
AI Q&A
2026-03-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pjsip pjsip to 2.17 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-28799 is a high-severity heap use-after-free vulnerability in the PJSIP multimedia communication library, specifically in its event subscription framework (evsub.c). This flaw occurs when a presence unsubscription request is processed, triggered by a SUBSCRIBE request with the Expires header set to 0. During this process, memory that is still needed is prematurely freed, leading to use-after-free conditions on the heap. This can cause memory corruption or exploitation. The vulnerability affects PJSIP versions 2.16 and earlier and has been fixed in version 2.17.

Impact Analysis

This vulnerability can lead to memory corruption or exploitation in applications using affected versions of PJSIP as a presence server. Specifically, any application processing SUBSCRIBE requests for presence, Message Waiting Indicator (MWI), or dialog-event subscriptions could be impacted. Exploitation of this heap use-after-free flaw could allow attackers to cause crashes, execute arbitrary code, or disrupt service availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability was discovered using AddressSanitizer during continuous integration testing, which detected a heap-use-after-free in a memcpy call within the PJSIP library's event subscription framework."}, {'type': 'paragraph', 'content': 'Detection involves monitoring for SUBSCRIBE requests with the Expires header set to 0, which triggers the presence unsubscription process where the vulnerability occurs.'}, {'type': 'paragraph', 'content': 'While no specific detection commands are provided, using memory error detection tools such as AddressSanitizer on the PJSIP application during processing of SUBSCRIBE requests can help identify the use-after-free condition.'}] [1, 2]

Mitigation Strategies

The primary mitigation step is to upgrade the PJSIP library to version 2.17 or later, where the vulnerability has been patched.

The patch defers the execution of the TERMINATED state callback during presence unsubscription to prevent premature freeing of memory, thus avoiding the heap use-after-free condition.

If upgrading immediately is not possible, consider restricting or monitoring SUBSCRIBE requests with Expires=0 to reduce exposure until the patch can be applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28799. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart