CVE-2026-28799

High

Published: 06 March 2026

Published

06 March 2026

Modified

10 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0006 18.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28799 is a high-severity Use After Free (CWE-416) vulnerability in Pjsip Pjsip. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-16 Memory Protection

addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Heap use-after-free in PJSIP evsub.c enables remote unauthenticated attacker to crash the application via crafted SIP SUBSCRIBE (Expires=0), directly mapping to application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has…

been patched in version 2.17.

Deeper analysisAI

CVE-2026-28799 is a heap use-after-free vulnerability (CWE-416) in the event subscription framework of PJSIP, specifically in evsub.c. PJSIP is a free and open-source multimedia communication library written in C. The flaw affects versions prior to 2.17 and is triggered during presence unsubscription via a SIP SUBSCRIBE request with Expires=0. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote, unauthenticated attacker with network access to a vulnerable PJSIP instance can exploit this issue with low complexity and no user interaction required. Successful exploitation leads to a denial of service through application crash or significant resource consumption due to the high availability impact, with no direct confidentiality or integrity effects.

The vulnerability has been patched in PJSIP version 2.17. The official fix is detailed in the commit at https://github.com/pjsip/pjproject/commit/e06ff6c64741cc1675fd3296615910f532f6b1a1, and further guidance is available in the GitHub security advisory at https://github.com/pjsip/pjproject/security/advisories/GHSA-8fj4-fv9f-hjpc. Security practitioners should upgrade to version 2.17 or later to mitigate the risk.

Details

CWE(s): CWE-416

Affected Products

pjsip

≤ 2.17

CVEs Like This One

CVE-2026-32942Same product: Pjsip Pjsip

CVE-2026-29068Same product: Pjsip Pjsip

CVE-2026-33069Same product: Pjsip Pjsip

CVE-2026-25994Same product: Pjsip Pjsip

CVE-2026-40892Same product: Pjsip Pjsip

CVE-2026-40614Same product: Pjsip Pjsip

CVE-2026-32945Same product: Pjsip Pjsip

CVE-2026-6754Shared CWE-416

CVE-2026-23351Shared CWE-416

CVE-2026-27828Shared CWE-416

References

https://github.com/pjsip/pjproject/commit/e06ff6c64741cc1675fd3296615910f532f6b1a1
Patch · security-advisories@github.com
https://github.com/pjsip/pjproject/security/advisories/GHSA-8fj4-fv9f-hjpc
Patch, Vendor Advisory · security-advisories@github.com