CVE-2026-32945
Published: 20 March 2026
Summary
CVE-2026-32945 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Pjsip Pjsip. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the heap-based buffer overflow by requiring timely remediation through patching PJSIP to version 2.17 or applying equivalent fixes.
Prevents exploitation by enforcing strict validation of DNS response name lengths to avoid buffer overflows during parsing.
Mitigates successful exploitation of the heap buffer overflow via memory safeguards such as ASLR and DEP to hinder arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in PJSIP DNS resolver (network-reachable, unauthenticated) directly enables remote arbitrary code execution on applications using the library, mapping to exploitation of public-facing applications for initial access.
NVD Description
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS resolver, such as those configured…
more
with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who rely on the OS resolver (e.g., getaddrinfo()) by not configuring a nameserver, or those using an external resolver via pjsip_resolver_set_ext_resolver(). This issue is fixed in version 2.17. For users unable to upgrade, a workaround is to disable DNS resolution in the PJSIP config (by setting nameserver_count to zero) or to use an external resolver implementation instead.
Deeper analysisAI
CVE-2026-32945 is a heap-based buffer overflow vulnerability (CWE-122) in the DNS parser's name length handler within PJSIP, a free and open-source multimedia communication library written in C. It affects versions 2.16 and prior, specifically impacting applications that use PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. Applications relying on the OS resolver (e.g., getaddrinfo()) without configuring a nameserver, or those using an external resolver via pjsip_resolver_set_ext_resolver(), are not affected. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a malicious DNS response that triggers the buffer overflow during parsing, the attacker can achieve high-impact consequences, including arbitrary code execution, data corruption, or denial of service through application crashes, as indicated by the high confidentiality, integrity, and availability impacts.
The issue is fixed in PJSIP version 2.17. For those unable to upgrade, workarounds include disabling DNS resolution in the PJSIP configuration by setting nameserver_count to zero or switching to an external resolver implementation. Official advisories and the fixing commit are available at the PJSIP GitHub security advisory (GHSA-jr2p-p2w4-rr9q) and the patch commit (5311aee398ae9d623829a6bad7b679a193c9e199).
Details
- CWE(s)