CVE-2026-32942
Use-After-Free Vulnerability in PJSIP ICE Session Causes Crash
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pjsip | pjsip | to 2.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32942 is a heap use-after-free vulnerability in the PJSIP multimedia communication library, specifically in the ICE (Interactive Connectivity Establishment) session implementation. It affects versions 2.16 and earlier. The flaw occurs due to race conditions between the destruction of ICE sessions and the execution of their associated callbacks, which can lead to accessing memory that has already been freed.
This vulnerability arises from improper handling of concurrent threads where one thread may destroy an ICE session while another thread is still executing callbacks related to that session, causing unsafe memory access.
The issue has been fixed in version 2.17 by introducing reference counting around the ICE session locks to prevent premature destruction and by ensuring consistent mutex acquisition order to avoid deadlocks.
How can this vulnerability impact me? :
This vulnerability can impact any application using PJSIP versions 2.16 or earlier that relies on ICE for connectivity. Exploitation could lead to heap use-after-free conditions, which may cause application crashes, denial of service, or potentially allow an attacker to execute arbitrary code or corrupt memory.
Because the issue involves race conditions and memory safety, it can undermine the stability and security of multimedia communication applications, potentially disrupting communication services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves a heap use-after-free condition caused by race conditions in the ICE session handling of PJSIP versions 2.16 and below. Detection would require monitoring for symptoms of race conditions or deadlocks in the ICE session components, particularly related to mutex acquisition order conflicts between threads handling incoming and outgoing packets.
No specific detection commands or network/system scanning commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade PJSIP to version 2.17 or later, where this heap use-after-free vulnerability has been fixed.
The fix involves improved thread safety and lifecycle management in the ICE session code, including reference counting to prevent premature destruction and avoiding deadlocks by consistent mutex acquisition order.
If upgrading immediately is not possible, reviewing and applying the patch from commit c9caceddabda7f18337b2a82d25d65f6224b450a may help mitigate the issue.