CVE-2026-34235

Critical

Published: 31 March 2026

Published

31 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0006 19.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34235 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Teluu Pjsip. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the vulnerability by requiring timely remediation through patching PJSIP to version 2.17 or later.

CM-7 Least Functionality good match

prevent

Enables disabling unnecessary VP9 codec functionality as a workaround to prevent exploitation of the VP9 RTP unpacketizer.

SI-16 Memory Protection partial match

prevent

Provides memory protections that mitigate unauthorized heap access and disclosure from out-of-bounds reads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a remote unauthenticated out-of-bounds read in the PJSIP RTP/VP9 parser, directly enabling exploitation of public-facing applications via crafted network packets with no user interaction required.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds…

checking on the payload descriptor length may cause reads beyond the allocated RTP payload buffer. This issue has been patched in version 2.17. A workaround for this issue involves disabling VP9 codec if not needed.

Deeper analysisAI

CVE-2026-34235 is a heap out-of-bounds read vulnerability in PJSIP, a free and open-source multimedia communication library written in C. The flaw affects versions prior to 2.17 and resides in the VP9 RTP unpacketizer, where insufficient bounds checking on the payload descriptor length during parsing of crafted VP9 Scalability Structure (SS) data can lead to reads beyond the allocated RTP payload buffer. This issue is classified under CWE-125 (Out-of-bounds Read) and carries a CVSS v3.1 base score of 9.1.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation can result in high-impact confidentiality and availability violations, potentially allowing disclosure of sensitive information from heap memory or denial-of-service via application crashes, while integrity remains unaffected due to the read-only nature of the flaw.

The patch is available in PJSIP version 2.17, as detailed in the project's GitHub commit (f4c7d08211da1fe2ad1504434a0ad99d12aa7536) and security advisory (GHSA-pqrm-53pc-wx28). A recommended workaround is to disable the VP9 codec if it is not required.