CVE-2026-42225
Awaiting Analysis Awaiting Analysis - Queue
PJSIP TLS Certificate Verification Bypass

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS transport (sip_transport_tls) can accept connections with invalid or untrusted certificates even when the application explicitly enables certificate verification via verify_server = PJ_TRUE or verify_client = PJ_TRUE. This issue has been patched in version 2.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42225
EUVD
EUVD-2026-28428
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pjsip pjsip to 2.17 (exc)
pjsip pjsip 2.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in PJSIP's SIP TLS transport on GnuTLS builds allows connections with invalid or untrusted certificates even when certificate verification is explicitly enabled. This flaw enables man-in-the-middle attacks by bypassing TLS certificate validation.

Such a security weakness can undermine the confidentiality and integrity of communications, which are critical requirements under common standards and regulations like GDPR and HIPAA. Failure to properly verify TLS certificates may lead to unauthorized data interception or tampering, potentially resulting in non-compliance with these regulations' mandates for protecting sensitive data in transit.

Executive Summary

The CVE-2026-42225 vulnerability affects the PJSIP multimedia communication library specifically in its SIP TLS transport when built with the GnuTLS backend. In versions prior to 2.17, the library can accept TLS connections with invalid or untrusted certificates even if the application explicitly enables certificate verification via settings like verify_server = PJ_TRUE or verify_client = PJ_TRUE.

This means that the TLS certificate chain verification is silently skipped, allowing an attacker positioned on the network to bypass TLS certificate validation. This flaw enables man-in-the-middle attacks on outbound SIPS connections in client mode or bypasses mutual-TLS authentication in server mode.

Only builds using GnuTLS are affected; builds using OpenSSL or Apple SecureTransport/Network.framework are not impacted. The issue has been patched in PJSIP version 2.17.

Impact Analysis

This vulnerability can have serious security impacts by allowing attackers to perform man-in-the-middle attacks on TLS connections used by PJSIP's SIP TLS transport. Because certificate verification can be bypassed, attackers can intercept, modify, or impersonate communication sessions without detection.

In client mode, attackers can intercept outbound SIPS connections, compromising confidentiality and integrity of the communication. In server mode, attackers can bypass mutual TLS authentication, potentially gaining unauthorized access or disrupting secure communications.

Such attacks can lead to data leakage, session hijacking, or unauthorized access to communication channels, severely undermining the security guarantees expected from TLS.

Detection Guidance

This vulnerability involves the PJSIP library's SIP TLS transport silently skipping certificate chain verification on GnuTLS builds even when verification is enabled. Detection involves verifying whether your system is running a vulnerable version of PJSIP (version 2.16 or earlier) built with the GnuTLS backend.

To detect this on your system, you can check the PJSIP version and SSL backend used. For example, you can inspect the PJSIP library version by running commands like:

  • ldd $(which your_sip_application) | grep pjsip # To check linked PJSIP libraries
  • strings $(ldd $(which your_sip_application) | grep pjsip | awk '{print $3}') | grep -i version # To find version info

Additionally, to detect if invalid or untrusted certificates are accepted during SIP TLS connections, you can capture and analyze SIP TLS traffic using tools like Wireshark or tcpdump, looking for TLS handshakes that accept invalid certificates.

  • tcpdump -i <interface> port 5061 -w sip_tls_capture.pcap
  • Use Wireshark to inspect the captured TLS handshakes for certificate validation failures.

Note that no specific detection commands are provided in the resources, but these general steps can help identify vulnerable versions and suspicious TLS behavior.

Mitigation Strategies

The primary mitigation is to upgrade PJSIP to version 2.17 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, a temporary workaround is to switch from the GnuTLS SSL backend to an alternative SSL backend such as OpenSSL or Apple SecureTransport/Network.framework, which are not affected by this issue.

Additionally, ensure that your application explicitly enables certificate verification (verify_server = PJ_TRUE or verify_client = PJ_TRUE) and verify that the SSL backend enforces this properly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42225. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart