CVE-2026-25994

PJSIP has a heap buffer overflow in ICE with long username

CVSS 8.1 HIGHEPSS 1.9%CWE-120

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Affected products

pjsip · pjproject

public PoCs found — 1

exploitdbwww.exploit-db.com/exploits/52561unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/pjsip/pjproject/commit/063b3a155f163cc5a9a1df2c56b6720fd3a0dbb0 https://github.com/pjsip/pjproject/security/advisories/GHSA-j29p-pvh2-pvqp