Can you explain this vulnerability to me?

The CVE-2026-42225 vulnerability affects the PJSIP multimedia communication library specifically in its SIP TLS transport when built with the GnuTLS backend. In versions prior to 2.17, the library can accept TLS connections with invalid or untrusted certificates even if the application explicitly enables certificate verification via settings like verify_server = PJ_TRUE or verify_client = PJ_TRUE.

This means that the TLS certificate chain verification is silently skipped, allowing an attacker positioned on the network to bypass TLS certificate validation. This flaw enables man-in-the-middle attacks on outbound SIPS connections in client mode or bypasses mutual-TLS authentication in server mode.

Only builds using GnuTLS are affected; builds using OpenSSL or Apple SecureTransport/Network.framework are not impacted. The issue has been patched in PJSIP version 2.17.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in PJSIP's SIP TLS transport on GnuTLS builds allows connections with invalid or untrusted certificates even when certificate verification is explicitly enabled. This flaw enables man-in-the-middle attacks by bypassing TLS certificate validation.

Such a security weakness can undermine the confidentiality and integrity of communications, which are critical requirements under common standards and regulations like GDPR and HIPAA. Failure to properly verify TLS certificates may lead to unauthorized data interception or tampering, potentially resulting in non-compliance with these regulations' mandates for protecting sensitive data in transit.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have serious security impacts by allowing attackers to perform man-in-the-middle attacks on TLS connections used by PJSIP's SIP TLS transport. Because certificate verification can be bypassed, attackers can intercept, modify, or impersonate communication sessions without detection.

In client mode, attackers can intercept outbound SIPS connections, compromising confidentiality and integrity of the communication. In server mode, attackers can bypass mutual TLS authentication, potentially gaining unauthorized access or disrupting secure communications.

Such attacks can lead to data leakage, session hijacking, or unauthorized access to communication channels, severely undermining the security guarantees expected from TLS.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the PJSIP library's SIP TLS transport silently skipping certificate chain verification on GnuTLS builds even when verification is enabled. Detection involves verifying whether your system is running a vulnerable version of PJSIP (version 2.16 or earlier) built with the GnuTLS backend.

To detect this on your system, you can check the PJSIP version and SSL backend used. For example, you can inspect the PJSIP library version by running commands like:

• ldd $(which your_sip_application) | grep pjsip # To check linked PJSIP libraries
• strings $(ldd $(which your_sip_application) | grep pjsip | awk '{print $3}') | grep -i version # To find version info

Additionally, to detect if invalid or untrusted certificates are accepted during SIP TLS connections, you can capture and analyze SIP TLS traffic using tools like Wireshark or tcpdump, looking for TLS handshakes that accept invalid certificates.

• tcpdump -i <interface> port 5061 -w sip_tls_capture.pcap
• Use Wireshark to inspect the captured TLS handshakes for certificate validation failures.

Note that no specific detection commands are provided in the resources, but these general steps can help identify vulnerable versions and suspicious TLS behavior.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade PJSIP to version 2.17 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, a temporary workaround is to switch from the GnuTLS SSL backend to an alternative SSL backend such as OpenSSL or Apple SecureTransport/Network.framework, which are not affected by this issue.

Additionally, ensure that your application explicitly enables certificate verification (verify_server = PJ_TRUE or verify_client = PJ_TRUE) and verify that the SSL backend enforces this properly.

Useful 0 Not Useful 0