{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32942", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.283Z", "datePublished": "2026-03-20T03:43:37.112Z", "dateUpdated": "2026-03-20T03:43:37.112Z"}, "containers": {"cna": {"title": "PJSIP has ICE session use-after-free race conditions", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/pjsip/pjproject/security/advisories/GHSA-g88q-c2hm-q7p7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-g88q-c2hm-q7p7"}, {"name": "https://github.com/pjsip/pjproject/issues/1451", "tags": ["x_refsource_MISC"], "url": "https://github.com/pjsip/pjproject/issues/1451"}, {"name": "https://github.com/pjsip/pjproject/commit/c9caceddabda7f18337b2a82d25d65f6224b450a", "tags": ["x_refsource_MISC"], "url": "https://github.com/pjsip/pjproject/commit/c9caceddabda7f18337b2a82d25d65f6224b450a"}], "affected": [{"vendor": "pjsip", "product": "pjproject", "versions": [{"version": "< 2.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T03:43:37.112Z"}, "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17."}], "source": {"advisory": "GHSA-g88q-c2hm-q7p7", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17."}], "id": "CVE-2026-32942", "lastModified": "2026-03-20T04:16:49.743", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T04:16:49.743", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/pjsip/pjproject/commit/c9caceddabda7f18337b2a82d25d65f6224b450a"}, {"source": "security-advisories@github.com", "url": "https://github.com/pjsip/pjproject/issues/1451"}, {"source": "security-advisories@github.com", "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-g88q-c2hm-q7p7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.17)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pjproject", "source": "cna", "vendor": "pjsip"}, "product": "pjproject", "vendor": "pjsip"}], "analysis": {"en": {"generated_at": "2026-03-20T05:23:01.449991+00:00", "value": {"mitigation_remediation": ["Upgrade PJSIP to version 2.17 or later"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is PJSIP:pjproject. Versions 2.16 and earlier are impacted. The issue was addressed in release 2.17, which removes the race condition and eliminates the use-after-free.", "description_and_impact": "Version 2.16 and below of PJSIP contain a heap use-after-free vulnerability in the ICE session component, triggered by race conditions between session destruction and callback handling. This flaw, identified as CWE-416, can lead to arbitrary code execution or denial of service if an attacker can manipulate the ICE session lifecycle. The CVSS score of 8 underscores the high impact of the vulnerability.", "risk_and_exploitability": "The CVSS score of 8 indicates high severity. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires triggering race conditions between session teardown and callback execution; it is likely to be exploitable within applications that expose that ICE session API. Users should assume that the vulnerability could enable remote code execution if an attacker can control session creation and destruction."}}}}, "created": "2026-03-20T08:52:46.009995+00:00", "updated": "2026-03-20T10:37:27.607083+00:00", "vendors": ["pjsip", "pjsip$PRODUCT$pjproject"]}