PJSIP Heap-Based Buffer Overflow Vulnerability in H.264 Unpacketizer

Vulnerability

A critical heap-based buffer overflow vulnerability has been identified in PJSIP versions 2.16 and below, specifically within the H.264 unpacketizer. This vulnerability arises when the unpacketizer processes malformed SRTP packets, as it reads a 2-byte NAL unit size field without properly validating that both bytes are within the bounds of the payload buffer. The issue affects applications that handle video using H.264.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, which can commonly result in arbitrary code execution or memory corruption.

Remediation

Users can upgrade to PJSIP version 2.17, where this vulnerability has been patched.

Added: Feb 20, 2026, 1:39 AM
Updated: Feb 20, 2026, 1:39 AM

Vulnerability Rating

Custom Algorithm
spread
9.8
impact
2.5
exploitability
8.4
remediation
7.7
relevance
2.0
threat
3.2
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.