Cyber Resilience

CVE-2026-32942

High

Published: 20 March 2026

Published
20 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 8.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 23.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32942 is a high-severity Use After Free (CWE-416) vulnerability in Pjsip Pjsip. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32942 is a heap use-after-free vulnerability (CWE-416) in the ICE session of PJSIP, a free and open-source multimedia communication library written in C. The issue affects versions 2.16 and below, arising from race conditions between session destruction and callbacks. Published on 2026-03-20, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction, though it requires high attack complexity. Successful exploitation enables high-impact consequences, including unauthorized disclosure of sensitive information, modification of data, and denial of service.

The vulnerability is addressed in PJSIP version 2.17. Mitigation details are available in the fix commit at https://github.com/pjsip/pjproject/commit/c9caceddabda7f18337b2a82d25d65f6224b450a, the issue discussion at https://github.com/pjsip/pjproject/issues/1451, and the GitHub security advisory at https://github.com/pjsip/pjproject/security/advisories/GHSA-g88q-c2hm-q7p7.

EU & UK References

Vulnerability details

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This…

more

issue has been fixed in version 2.17.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated network exploitation of PJSIP (public-facing SIP/ICE service) directly maps to initial access via public-facing application; high-impact memory corruption enables RCE/DoS in the service context.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25994Same product: Pjsip Pjsip
CVE-2026-28799Same product: Pjsip Pjsip
CVE-2026-40892Same product: Pjsip Pjsip
CVE-2026-32945Same product: Pjsip Pjsip
CVE-2026-29068Same product: Pjsip Pjsip
CVE-2026-33069Same product: Pjsip Pjsip
CVE-2026-40614Same product: Pjsip Pjsip
CVE-2026-45185Shared CWE-416
CVE-2026-41401Shared CWE-416
CVE-2026-3593Shared CWE-416

Affected Assets

pjsip
pjsip
≤ 2.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the specific heap use-after-free vulnerability in PJSIP versions 2.16 and below, as fixed in version 2.17.

prevent

Provides memory protections such as non-executable memory and ASLR to block exploitation of heap use-after-free leading to code execution, data disclosure, or modification.

detect

Enables identification of systems using vulnerable PJSIP library versions through vulnerability scanning, supporting remediation efforts.

References