CVE-2026-33069
Out-of-Bounds Heap Read in PJSIP Multipart Parsing
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pjsip | pjsip | to 2.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an out-of-bounds heap read in the pjsip library, specifically in the function pjsip_multipart_parse(). When parsing SIP multipart messages, after matching a boundary string, the pointer used to read the buffer is advanced past the delimiter without checking if it has reached the end of the buffer. This causes the program to read 1-2 bytes of adjacent heap memory beyond the intended buffer boundary.
The issue affects pjsip versions 2.16 and earlier and is fixed in version 2.17 by adding proper boundary checks and stricter enforcement of expected buffer content after the boundary delimiter.
How can this vulnerability impact me? :
This vulnerability can impact any application that processes incoming SIP messages with multipart bodies or SDP content using affected versions of pjsip (2.16 and below). It allows reading of 1-2 bytes of adjacent heap memory, which could potentially expose sensitive information or lead to undefined behavior in the application.
While the vulnerability is a moderate severity issue, the unintended memory read could be leveraged in attacks that exploit leaked memory contents or cause application instability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an out-of-bounds heap read during SIP multipart parsing in pjsip versions 2.16 and below. Detection would involve monitoring SIP messages with multipart bodies or SDP content for abnormal behavior or memory access issues.
Since the vulnerability occurs during parsing of SIP multipart messages, one approach is to capture SIP traffic and analyze multipart message boundaries for irregularities or malformed packets that could trigger the issue.
No specific detection commands or signatures are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the pjsip library to version 2.17 or later, where this vulnerability has been fixed.
The fix includes improved boundary delimiter checks and safer parsing logic to prevent out-of-bounds reads.
If upgrading immediately is not possible, consider restricting or filtering incoming SIP messages with multipart bodies or SDP content from untrusted sources to reduce exposure.