Cyber Resilience

CVE-2026-28799

High

Published: 06 March 2026

Published
06 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28799 is a high-severity Use After Free (CWE-416) vulnerability in Pjsip Pjsip. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-28799 is a heap use-after-free vulnerability (CWE-416) in the event subscription framework of PJSIP, specifically in evsub.c. PJSIP is a free and open-source multimedia communication library written in C. The flaw affects versions prior to 2.17 and is triggered during presence unsubscription via a SIP SUBSCRIBE request with Expires=0. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote, unauthenticated attacker with network access to a vulnerable PJSIP instance can exploit this issue with low complexity and no user interaction required. Successful exploitation leads to a denial of service through application crash or significant resource consumption due to the high availability impact, with no direct confidentiality or integrity effects.

The vulnerability has been patched in PJSIP version 2.17. The official fix is detailed in the commit at https://github.com/pjsip/pjproject/commit/e06ff6c64741cc1675fd3296615910f532f6b1a1, and further guidance is available in the GitHub security advisory at https://github.com/pjsip/pjproject/security/advisories/GHSA-8fj4-fv9f-hjpc. Security practitioners should upgrade to version 2.17 or later to mitigate the risk.

EU & UK References

Vulnerability details

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has…

more

been patched in version 2.17.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Heap use-after-free in PJSIP evsub.c enables remote unauthenticated attacker to crash the application via crafted SIP SUBSCRIBE (Expires=0), directly mapping to application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32942Same product: Pjsip Pjsip
CVE-2026-29068Same product: Pjsip Pjsip
CVE-2026-25994Same product: Pjsip Pjsip
CVE-2026-33069Same product: Pjsip Pjsip
CVE-2026-40614Same product: Pjsip Pjsip
CVE-2026-40892Same product: Pjsip Pjsip
CVE-2026-32945Same product: Pjsip Pjsip
CVE-2026-26330Shared CWE-416
CVE-2026-4271Shared CWE-416
CVE-2024-57959Shared CWE-416

Affected Assets

pjsip
pjsip
≤ 2.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the heap use-after-free vulnerability by requiring timely patching to PJSIP version 2.17 or later.

prevent

Provides memory protection mechanisms like ASLR and DEP that hinder exploitation of the use-after-free leading to crashes.

preventdetect

Implements protections against denial-of-service attacks, including those causing application crashes from the remote unsubscription trigger.

References