CVE-2026-29068
Published: 06 March 2026
Summary
CVE-2026-29068 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Pjsip Pjsip. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-29068 is a stack buffer overflow vulnerability (CWE-121) in PJSIP, a free and open-source multimedia communication library written in C. The flaw affects the pjmedia-codec component in versions prior to 2.17, where parsing an RTP payload containing more frames than the caller-provided buffer can hold triggers the overflow.
With a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), the vulnerability is exploitable over the network with low complexity, requiring no privileges or user interaction. Remote attackers can send a specially crafted RTP payload to any system processing it via PJSIP, causing a stack buffer overflow that leads to denial of service through application crashes or instability.
The issue has been patched in PJSIP version 2.17. Security practitioners should upgrade to this version for mitigation. Additional details are available in the GitHub security advisory at https://github.com/pjsip/pjproject/security/advisories/GHSA-pqww-jrxr-457f and the patching commit at https://github.com/pjsip/pjproject/commit/6c9024511bf5307ff72efde1f90c9a2a226d8967.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10020
Vulnerability details
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, there is a stack buffer overflow vulnerability when pjmedia-codec parses an RTP payload contain more frames than the caller-provided frames can hold. This…
more
issue has been patched in version 2.17.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation of PJSIP (public-facing VoIP/multimedia apps) via crafted RTP payload triggers stack overflow crash, directly enabling T1190 initial access vector and T1499.004 application DoS via vulnerability exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and remediation of flaws such as the stack buffer overflow in PJSIP's RTP parsing, directly addressed by patching to version 2.17.
Implements runtime memory protections like stack canaries and non-executable stacks that directly mitigate exploitation of stack buffer overflows in libraries like PJSIP.
Requires validation of RTP payload inputs to detect and reject malformed frames exceeding buffer capacity before processing by the vulnerable pjmedia-codec component.