CVE-2026-32942
Received Received - Intake
Use-After-Free Vulnerability in PJSIP ICE Session Causes Crash

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32942
EUVD
EUVD-2026-13520
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pjsip pjsip to 2.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32942 is a heap use-after-free vulnerability in the PJSIP multimedia communication library, specifically in the ICE (Interactive Connectivity Establishment) session implementation. It affects versions 2.16 and earlier. The flaw occurs due to race conditions between the destruction of ICE sessions and the execution of their associated callbacks, which can lead to accessing memory that has already been freed.

This vulnerability arises from improper handling of concurrent threads where one thread may destroy an ICE session while another thread is still executing callbacks related to that session, causing unsafe memory access.

The issue has been fixed in version 2.17 by introducing reference counting around the ICE session locks to prevent premature destruction and by ensuring consistent mutex acquisition order to avoid deadlocks.

Impact Analysis

This vulnerability can impact any application using PJSIP versions 2.16 or earlier that relies on ICE for connectivity. Exploitation could lead to heap use-after-free conditions, which may cause application crashes, denial of service, or potentially allow an attacker to execute arbitrary code or corrupt memory.

Because the issue involves race conditions and memory safety, it can undermine the stability and security of multimedia communication applications, potentially disrupting communication services.

Compliance Impact

I don't know

Detection Guidance

The vulnerability involves a heap use-after-free condition caused by race conditions in the ICE session handling of PJSIP versions 2.16 and below. Detection would require monitoring for symptoms of race conditions or deadlocks in the ICE session components, particularly related to mutex acquisition order conflicts between threads handling incoming and outgoing packets.

No specific detection commands or network/system scanning commands are provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade PJSIP to version 2.17 or later, where this heap use-after-free vulnerability has been fixed.

The fix involves improved thread safety and lifecycle management in the ICE session code, including reference counting to prevent premature destruction and avoiding deadlocks by consistent mutex acquisition order.

If upgrading immediately is not possible, reviewing and applying the patch from commit c9caceddabda7f18337b2a82d25d65f6224b450a may help mitigate the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32942. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart