CVE-2026-28799
Published: 06 March 2026
Summary
CVE-2026-28799 is a high-severity Use After Free (CWE-416) vulnerability in Pjsip Pjsip. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2026-28799 is a heap use-after-free vulnerability (CWE-416) in the event subscription framework of PJSIP, specifically in evsub.c. PJSIP is a free and open-source multimedia communication library written in C. The flaw affects versions prior to 2.17 and is triggered during presence unsubscription via a SIP SUBSCRIBE request with Expires=0. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote, unauthenticated attacker with network access to a vulnerable PJSIP instance can exploit this issue with low complexity and no user interaction required. Successful exploitation leads to a denial of service through application crash or significant resource consumption due to the high availability impact, with no direct confidentiality or integrity effects.
The vulnerability has been patched in PJSIP version 2.17. The official fix is detailed in the commit at https://github.com/pjsip/pjproject/commit/e06ff6c64741cc1675fd3296615910f532f6b1a1, and further guidance is available in the GitHub security advisory at https://github.com/pjsip/pjproject/security/advisories/GHSA-8fj4-fv9f-hjpc. Security practitioners should upgrade to version 2.17 or later to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10006
Vulnerability details
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has…
more
been patched in version 2.17.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap use-after-free in PJSIP evsub.c enables remote unauthenticated attacker to crash the application via crafted SIP SUBSCRIBE (Expires=0), directly mapping to application exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the heap use-after-free vulnerability by requiring timely patching to PJSIP version 2.17 or later.
Provides memory protection mechanisms like ASLR and DEP that hinder exploitation of the use-after-free leading to crashes.
Implements protections against denial-of-service attacks, including those causing application crashes from the remote unsubscription trigger.