{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26967", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-16T22:20:28.612Z", "datePublished": "2026-02-20T00:26:54.397Z", "dateUpdated": "2026-02-20T15:36:17.964Z"}, "containers": {"cna": {"title": "PJSIP has a Heap-based Buffer Overflow vulnerability in its H.264 unpacketizer", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/pjsip/pjproject/security/advisories/GHSA-x2hc-6969-g8v6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-x2hc-6969-g8v6"}, {"name": "https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491", "tags": ["x_refsource_MISC"], "url": "https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491"}], "affected": [{"vendor": "pjsip", "product": "pjproject", "versions": [{"version": "< f821c214e52b11bae11e4cd3c7f0864538fb5491", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-20T00:26:54.397Z"}, "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below, there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. The bug occurs when processing malformed SRTP packets, where the unpacketizer reads a 2-byte NAL unit size field without validating that both bytes are within the payload buffer bounds. The vulnerability affects applications that receive video using H.264. A patch is available at https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491."}], "source": {"advisory": "GHSA-x2hc-6969-g8v6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T15:30:23.085713Z", "id": "CVE-2026-26967", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:36:17.964Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26967", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-20T15:30:23.085713Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:30:24.869Z"}}], "cna": {"title": "PJSIP has a Heap-based Buffer Overflow vulnerability in its H.264 unpacketizer", "source": {"advisory": "GHSA-x2hc-6969-g8v6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pjsip", "product": "pjproject", "versions": [{"status": "affected", "version": "< f821c214e52b11bae11e4cd3c7f0864538fb5491"}]}], "references": [{"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-x2hc-6969-g8v6", "name": "https://github.com/pjsip/pjproject/security/advisories/GHSA-x2hc-6969-g8v6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491", "name": "https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below, there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. The bug occurs when processing malformed SRTP packets, where the unpacketizer reads a 2-byte NAL unit size field without validating that both bytes are within the payload buffer bounds. The vulnerability affects applications that receive video using H.264. A patch is available at https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-20T00:26:54.397Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26967", "state": "PUBLISHED", "dateUpdated": "2026-02-20T15:36:17.964Z", "dateReserved": "2026-02-16T22:20:28.612Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-20T00:26:54.397Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*", "matchCriteriaId": "117AFEC4-36E1-424F-B2A3-6EC94FBBDF38", "versionEndExcluding": "2.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below, there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. The bug occurs when processing malformed SRTP packets, where the unpacketizer reads a 2-byte NAL unit size field without validating that both bytes are within the payload buffer bounds. The vulnerability affects applications that receive video using H.264. A patch is available at https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491."}], "id": "CVE-2026-26967", "lastModified": "2026-02-20T19:30:22.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-20T01:15:59.953", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-x2hc-6969-g8v6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "pjsip: PJSIP: Arbitrary code execution via H.264 unpacketizer heap-based buffer overflow", "id": "2441242", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441242"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-120", "details": ["A flaw was found in PJSIP. A remote attacker could exploit a heap-based buffer overflow vulnerability in the H.264 unpacketizer by sending specially crafted Secure Real-time Transport Protocol (SRTP) packets. The unpacketizer fails to validate the bounds of a 2-byte Network Abstraction Layer (NAL) unit size field, which can lead to arbitrary code execution."], "name": "CVE-2026-26967", "public_date": "2026-02-20T00:26:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26967\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26967\nhttps://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491\nhttps://github.com/pjsip/pjproject/security/advisories/GHSA-x2hc-6969-g8v6"], "statement": "Exploiting this vulnerability requires that an attacker can induce the processing of untrusted content. If an application accepting input from remote sources processes H.264 content with PJSIP, this vulnerability could consequently be exploited remotely.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,f821c214e52b11bae11e4cd3c7f0864538fb5491)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pjproject", "source": "cna", "vendor": "pjsip"}, "product": "pjproject", "vendor": "pjsip"}], "analysis": {"en": {"generated_at": "2026-04-17T17:37:43.077689+00:00", "value": {"mitigation_remediation": ["Update PJSIP pjproject to the latest release that includes the commit fixing the overflow (e.g., 2.17 or later).", "If an immediate update is not feasible, disable H.264 video decoding or suppress SRTP packet processing until the patch is applied.", "Restrict inbound SRTP video traffic to trusted networks or block untrusted SRTP packets via firewall or ACL rules."], "summary": {"action": "Patch ASAP", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in all releases of PJSIP pjproject version 2.16 and earlier. Any application that embeds pjproject and receives H.264 video over SRTP\u2014such as VoIP or video conferencing software\u2014is impacted. The affected vendor/product is PJSIP pjproject, with the specific bug fixed in releases newer than 2.16.", "description_and_impact": "PJSIP\u2019s H.264 unpacketizer contains a heap\u2011based buffer overflow that occurs when it processes malformed SRTP packets. The unpacketizer reads a two\u2011byte NAL unit size field without confirming that the bytes lie within the packet payload, allowing an attacker to overflow the heap and potentially write arbitrary data, which can lead to denial of service or execution of malicious code. The weakness is identified as a buffer overflow (CWE\u2011120, CWE\u2011122).", "risk_and_exploitability": "The CVSS score of 8.1 classifies this as high severity. However, the EPSS score of less than 1% indicates a very low likelihood of exploitation at present, and it is not listed in the CISA KEV catalog. The likely attack vector is remote network: an adversary could send crafted SRTP packets to a vulnerable application to trigger the overflow, potentially leading to remote code execution. Proper validation of packet bounds would prevent exploitation."}}}}, "created": "2026-02-20T09:53:15.406689+00:00", "updated": "2026-04-17T17:45:24.344963+00:00", "vendors": ["pjsip", "pjsip$PRODUCT$pjproject"]}