CVE-2026-28799
Use-After-Free Vulnerability in PJSIP Event Subscription Framework
Publication date: 2026-03-06
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pjsip | pjsip | to 2.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28799 is a high-severity heap use-after-free vulnerability in the PJSIP multimedia communication library, specifically in its event subscription framework (evsub.c). This flaw occurs when a presence unsubscription request is processed, triggered by a SUBSCRIBE request with the Expires header set to 0. During this process, memory that is still needed is prematurely freed, leading to use-after-free conditions on the heap. This can cause memory corruption or exploitation. The vulnerability affects PJSIP versions 2.16 and earlier and has been fixed in version 2.17.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption or exploitation in applications using affected versions of PJSIP as a presence server. Specifically, any application processing SUBSCRIBE requests for presence, Message Waiting Indicator (MWI), or dialog-event subscriptions could be impacted. Exploitation of this heap use-after-free flaw could allow attackers to cause crashes, execute arbitrary code, or disrupt service availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability was discovered using AddressSanitizer during continuous integration testing, which detected a heap-use-after-free in a memcpy call within the PJSIP library's event subscription framework."}, {'type': 'paragraph', 'content': 'Detection involves monitoring for SUBSCRIBE requests with the Expires header set to 0, which triggers the presence unsubscription process where the vulnerability occurs.'}, {'type': 'paragraph', 'content': 'While no specific detection commands are provided, using memory error detection tools such as AddressSanitizer on the PJSIP application during processing of SUBSCRIBE requests can help identify the use-after-free condition.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the PJSIP library to version 2.17 or later, where the vulnerability has been patched.
The patch defers the execution of the TERMINATED state callback during presence unsubscription to prevent premature freeing of memory, thus avoiding the heap use-after-free condition.
If upgrading immediately is not possible, consider restricting or monitoring SUBSCRIBE requests with Expires=0 to reduce exposure until the patch can be applied.