CVE-2026-40614
Published: 21 April 2026
Summary
CVE-2026-40614 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Pjsip Pjsip. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, reporting, and correction of software flaws like this heap buffer overflow in PJSIP via patching to the fixed version.
Implements runtime memory protection mechanisms such as ASLR and DEP to prevent exploitation of heap buffer overflows during Opus audio decoding.
Requires validation of information inputs like Opus frame sizes before processing to restrict oversized packets that trigger the buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in PJSIP client library allows remote exploitation via crafted Opus audio frames with user interaction (UI:R) to achieve arbitrary code execution, directly mapping to Exploitation for Client Execution.
NVD Description
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The…
more
FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields only 960 bytes, but codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE (1280) bytes via opus_repacketizer_out_range(). The three pj_memcpy() calls in codec_decode() copied input->size bytes without bounds checking, causing a heap buffer overflow.
Deeper analysisAI
CVE-2026-40614 is a heap buffer overflow vulnerability (CWE-122) affecting PJSIP, a free and open-source multimedia communication library written in C, in versions 2.16 and earlier. The flaw arises in the Opus codec decode path due to insufficient buffer size validation when decoding Opus audio frames. FEC decode buffers (dec_frame[].buf) are allocated using a PCM-derived formula—(sample_rate/1000) * 60 * channel_cnt * 2—which, for example, provides only 960 bytes at 8 kHz mono. However, codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE (1280 bytes) via opus_repacketizer_out_range(), and the three pj_memcpy() calls in codec_decode() copy input->size bytes without bounds checking, triggering the overflow.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating exploitation is possible remotely over the network by unauthenticated attackers with low complexity, though it requires user interaction, such as processing a maliciously crafted Opus audio frame in an application using PJSIP. Successful exploitation can lead to high confidentiality, integrity, and availability impacts, potentially enabling arbitrary code execution, data corruption, or denial of service via heap overflow.
Mitigation is detailed in the PJSIP project's GitHub security advisory (GHSA-j59p-4xrr-fp8g) and addressed by commit 17897e835818f8ee03b1806ddcd7b95ea16d2c0e, which fixes the buffer allocation and validation issues. Affected users should update to a PJSIP version incorporating this patch and review applications for proper handling of Opus audio decoding.
Details
- CWE(s)