CVE-2026-41416
Published: 24 April 2026
Summary
CVE-2026-41416 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Teluu Pjsip. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of software flaws like the PJSIP integer overflow, directly preventing exploitation through patching to version 2.17.
Mandates validation of information inputs such as SDP messages to detect and reject malformed ptime configurations that trigger the buffer size overflow.
Implements memory protection mechanisms like ASLR and DEP to mitigate undersized buffer allocations, reducing risks of memory corruption or escalation from crashes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote unauthenticated integer overflow in PJSIP SDP processing directly enables exploitation of public-facing VoIP/communication applications over the network for DoS or potential further compromise.
NVD Description
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an integer overflow in media stream buffer size calculation when processing SDP with asymmetric ptime configuration. The overflow may result in…
more
an undersized buffer allocation, which can lead to unexpected application termination or memory corruption This vulnerability is fixed in 2.17.
Deeper analysisAI
CVE-2026-41416 is an integer overflow vulnerability (CWE-190) in the PJSIP multimedia communication library, a free and open-source C library used for VoIP and other real-time communication applications. The issue affects versions 2.16 and earlier, occurring during media stream buffer size calculation when processing Session Description Protocol (SDP) messages with asymmetric ptime configurations. This overflow leads to an undersized buffer allocation, potentially causing unexpected application termination or memory corruption. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.
Remote, unauthenticated attackers can exploit this vulnerability by sending specially crafted SDP messages to a vulnerable PJSIP-based application over the network. No user interaction or privileges are required, and exploitation requires low complexity. Successful attacks can trigger denial-of-service through application crashes or, in some cases, memory corruption, potentially enabling further compromise depending on the application's context and memory safety mitigations.
The PJSIP project addressed this vulnerability in version 2.17, with the fixing commit available at https://github.com/pjsip/pjproject/commit/66fe416c96e957417621b7be16e9e587d159f9bb. Additional details are provided in the project's security advisory at https://github.com/pjsip/pjproject/security/advisories/GHSA-f33g-8hjq-62xr, recommending immediate upgrades to the patched version for affected deployments.
Details
- CWE(s)