CVE-2026-33069
Published: 20 March 2026
Summary
CVE-2026-33069 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Pjsip Pjsip. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of software flaws like the out-of-bounds heap read in PJSIP, directly preventing exploitation via crafted SIP messages.
Implements safeguards protecting heap memory from unauthorized disclosure, mitigating leakage of adjacent data caused by the PJSIP parsing vulnerability.
Enforces validation of incoming SIP multipart inputs to block malformed data that triggers the out-of-bounds heap read in pjsip_multipart_parse().
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated OOB read in public-facing SIP parser directly enables T1190 (exploit public-facing app) and T1212 (exploitation for credential access via heap memory disclosure of keys/creds).
NVD Description
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not…
more
reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17.
Deeper analysisAI
CVE-2026-33069 is a cascading out-of-bounds heap read vulnerability in the pjsip_multipart_parse() function of PJSIP, a free and open-source multimedia communication library written in C. It affects versions 2.16 and below, where after boundary string matching, the curptr pointer is advanced past the delimiter without checking if it has reached the buffer end, allowing 1-2 bytes of adjacent heap memory to be read. All applications processing incoming SIP messages with multipart bodies or SDP content are potentially vulnerable. The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-125 (Out-of-bounds Read).
Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction by sending crafted SIP messages containing malicious multipart bodies or SDP content. Successful exploitation enables the attacker to read 1-2 bytes from adjacent heap memory locations, potentially leaking sensitive information such as credentials, keys, or other data stored nearby in the heap, though it does not allow modification of data or denial of service.
The PJSIP project resolved this issue in version 2.17, as detailed in the commit at https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db and the security advisory at https://github.com/pjsip/pjproject/security/advisories/GHSA-x5pq-qrp4-fmrj. Security practitioners should prioritize upgrading affected applications to PJSIP 2.17 or later to mitigate the risk.
Details
- CWE(s)