PJSIP Presence Event Subscription Heap Use-After-Free Vulnerability

Vulnerability

A heap use-after-free vulnerability has been identified in PJSIP's event subscription framework, specifically in versions through 2.16. This vulnerability occurs during the unsubscription process of presence events, when a SUBSCRIBE request is received with an Expires value of 0. The issue arises in the presence subscription termination handler, where the event processing incorrectly frees memory that is still in use, leading to potential memory corruption.

Impact

This vulnerability affects any application that serves as a presence server and manages SUBSCRIBE requests, including those that support presence, Message Waiting Indicator (MWI), and dialog events.

Remediation

Users can upgrade to PJSIP version 2.17, where this vulnerability has been patched.

Added: Mar 6, 2026, 7:40 AM
Updated: Mar 6, 2026, 7:40 AM

Vulnerability Rating

Custom Algorithm
spread
9.8
impact
2.5
exploitability
7.7
remediation
7.7
relevance
2.3
threat
3.2
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.