Cyber Resilience

CVE-2026-34235

Medium

Published: 31 March 2026

Published
31 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 32.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-34235 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Teluu Pjsip. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34235 is a heap out-of-bounds read vulnerability in PJSIP, a free and open-source multimedia communication library written in C. The flaw affects versions prior to 2.17 and resides in the VP9 RTP unpacketizer, where insufficient bounds checking on the payload descriptor length during parsing of crafted VP9 Scalability Structure (SS) data can lead to reads beyond the allocated RTP payload buffer. This issue is classified under CWE-125 (Out-of-bounds Read) and carries a CVSS v3.1 base score of 9.1.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation can result in high-impact confidentiality and availability violations, potentially allowing disclosure of sensitive information from heap memory or denial-of-service via application crashes, while integrity remains unaffected due to the read-only nature of the flaw.

The patch is available in PJSIP version 2.17, as detailed in the project's GitHub commit (f4c7d08211da1fe2ad1504434a0ad99d12aa7536) and security advisory (GHSA-pqrm-53pc-wx28). A recommended workaround is to disable the VP9 codec if it is not required.

EU & UK References

Vulnerability details

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds…

more

checking on the payload descriptor length may cause reads beyond the allocated RTP payload buffer. This issue has been patched in version 2.17. A workaround for this issue involves disabling VP9 codec if not needed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote unauthenticated out-of-bounds read in the PJSIP RTP/VP9 parser, directly enabling exploitation of public-facing applications via crafted network packets with no user interaction required.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41415Same product: Teluu Pjsip
CVE-2026-41416Same product: Teluu Pjsip
CVE-2026-42799Shared CWE-125
CVE-2026-22984Shared CWE-125
CVE-2025-1674Shared CWE-125
CVE-2025-55100Shared CWE-125
CVE-2026-3055Shared CWE-125
CVE-2025-48530Shared CWE-125
CVE-2026-4424Shared CWE-125
CVE-2025-1675Shared CWE-125

Affected Assets

teluu
pjsip
≤ 2.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely remediation through patching PJSIP to version 2.17 or later.

prevent

Enables disabling unnecessary VP9 codec functionality as a workaround to prevent exploitation of the VP9 RTP unpacketizer.

prevent

Provides memory protections that mitigate unauthorized heap access and disclosure from out-of-bounds reads.

References