CVE-2026-28799
Received Received - Intake
Use-After-Free Vulnerability in PJSIP Event Subscription Framework

Publication date: 2026-03-06

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has been patched in version 2.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28799
EUVD
EUVD-2026-10006
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pjsip pjsip to 2.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability was discovered using AddressSanitizer during continuous integration testing, which detected a heap-use-after-free in a memcpy call within the PJSIP library's event subscription framework."}, {'type': 'paragraph', 'content': 'Detection involves monitoring for SUBSCRIBE requests with the Expires header set to 0, which triggers the presence unsubscription process where the vulnerability occurs.'}, {'type': 'paragraph', 'content': 'While no specific detection commands are provided, using memory error detection tools such as AddressSanitizer on the PJSIP application during processing of SUBSCRIBE requests can help identify the use-after-free condition.'}] [1, 2]

Mitigation Strategies

The primary mitigation step is to upgrade the PJSIP library to version 2.17 or later, where the vulnerability has been patched.

The patch defers the execution of the TERMINATED state callback during presence unsubscription to prevent premature freeing of memory, thus avoiding the heap use-after-free condition.

If upgrading immediately is not possible, consider restricting or monitoring SUBSCRIBE requests with Expires=0 to reduce exposure until the patch can be applied.

Executive Summary

CVE-2026-28799 is a high-severity heap use-after-free vulnerability in the PJSIP multimedia communication library, specifically in its event subscription framework (evsub.c). This flaw occurs when a presence unsubscription request is processed, triggered by a SUBSCRIBE request with the Expires header set to 0. During this process, memory that is still needed is prematurely freed, leading to use-after-free conditions on the heap. This can cause memory corruption or exploitation. The vulnerability affects PJSIP versions 2.16 and earlier and has been fixed in version 2.17.

Impact Analysis

This vulnerability can lead to memory corruption or exploitation in applications using affected versions of PJSIP as a presence server. Specifically, any application processing SUBSCRIBE requests for presence, Message Waiting Indicator (MWI), or dialog-event subscriptions could be impacted. Exploitation of this heap use-after-free flaw could allow attackers to cause crashes, execute arbitrary code, or disrupt service availability.

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28799. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart