CVE-2026-33069
Received Received - Intake
Out-of-Bounds Heap Read in PJSIP Multipart Parsing

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33069
EUVD
EUVD-2026-13632
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pjsip pjsip to 2.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an out-of-bounds heap read in the pjsip library, specifically in the function pjsip_multipart_parse(). When parsing SIP multipart messages, after matching a boundary string, the pointer used to read the buffer is advanced past the delimiter without checking if it has reached the end of the buffer. This causes the program to read 1-2 bytes of adjacent heap memory beyond the intended buffer boundary.

The issue affects pjsip versions 2.16 and earlier and is fixed in version 2.17 by adding proper boundary checks and stricter enforcement of expected buffer content after the boundary delimiter.

Impact Analysis

This vulnerability can impact any application that processes incoming SIP messages with multipart bodies or SDP content using affected versions of pjsip (2.16 and below). It allows reading of 1-2 bytes of adjacent heap memory, which could potentially expose sensitive information or lead to undefined behavior in the application.

While the vulnerability is a moderate severity issue, the unintended memory read could be leveraged in attacks that exploit leaked memory contents or cause application instability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves an out-of-bounds heap read during SIP multipart parsing in pjsip versions 2.16 and below. Detection would involve monitoring SIP messages with multipart bodies or SDP content for abnormal behavior or memory access issues.

Since the vulnerability occurs during parsing of SIP multipart messages, one approach is to capture SIP traffic and analyze multipart message boundaries for irregularities or malformed packets that could trigger the issue.

No specific detection commands or signatures are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade the pjsip library to version 2.17 or later, where this vulnerability has been fixed.

The fix includes improved boundary delimiter checks and safer parsing logic to prevent out-of-bounds reads.

If upgrading immediately is not possible, consider restricting or filtering incoming SIP messages with multipart bodies or SDP content from untrusted sources to reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33069. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart