{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32945", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.283Z", "datePublished": "2026-03-20T03:54:00.813Z", "dateUpdated": "2026-03-20T03:54:00.813Z"}, "containers": {"cna": {"title": "PJSIP is vulnerable to Heap-based Buffer Overflow through DNS parser", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pjsip/pjproject/security/advisories/GHSA-jr2p-p2w4-rr9q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-jr2p-p2w4-rr9q"}, {"name": "https://github.com/pjsip/pjproject/commit/5311aee398ae9d623829a6bad7b679a193c9e199", "tags": ["x_refsource_MISC"], "url": "https://github.com/pjsip/pjproject/commit/5311aee398ae9d623829a6bad7b679a193c9e199"}], "affected": [{"vendor": "pjsip", "product": "pjproject", "versions": [{"version": "< 2.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T03:54:00.813Z"}, "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who rely on the OS resolver (e.g., getaddrinfo()) by not configuring a nameserver, or those using an external resolver via pjsip_resolver_set_ext_resolver(). This issue is fixed in version 2.17. For users unable to upgrade, a workaround is to disable DNS resolution in the PJSIP config (by setting nameserver_count to zero) or to use an external resolver implementation instead."}], "source": {"advisory": "GHSA-jr2p-p2w4-rr9q", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who rely on the OS resolver (e.g., getaddrinfo()) by not configuring a nameserver, or those using an external resolver via pjsip_resolver_set_ext_resolver(). This issue is fixed in version 2.17. For users unable to upgrade, a workaround is to disable DNS resolution in the PJSIP config (by setting nameserver_count to zero) or to use an external resolver implementation instead."}], "id": "CVE-2026-32945", "lastModified": "2026-03-20T04:16:49.927", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T04:16:49.927", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/pjsip/pjproject/commit/5311aee398ae9d623829a6bad7b679a193c9e199"}, {"source": "security-advisories@github.com", "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-jr2p-p2w4-rr9q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.17)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pjproject", "source": "cna", "vendor": "pjsip"}, "product": "pjproject", "vendor": "pjsip"}], "analysis": {"en": {"generated_at": "2026-03-20T05:50:58.212274+00:00", "value": {"mitigation_remediation": ["Upgrade PJSIP to version 2.17 or later", "If upgrade is not possible, disable DNS resolution in the PJSIP configuration by setting nameserver_count to zero", "Alternatively, use an external resolver implementation via pjsip_resolver_set_ext_resolver()", "Monitor the vendor\u2019s website for additional patches or updates"], "summary": {"action": "Immediate Patch", "impact": "Heap-based Buffer Overflow leading to memory corruption"}, "threat_synthesis": {"affected_systems": "Affected versions are pjsip:pjproject 2.16 and earlier. Applications that use PJSIP\u2019s built\u2011in DNS resolver\u2014configured via pjsua_config.nameserver or UaConfig.nameserver\u2014are impacted. Systems that rely on the OS resolver (e.g., leaving nameserver empty) or those that use an external resolver via pjsip_resolver_set_ext_resolver() are not affected.", "description_and_impact": "The vulnerability resides in PJSIP\u2019s DNS parser name\u2011length handling and results in a heap\u2011based buffer overflow, which can corrupt memory and potentially allow an attacker to cause a crash or execute arbitrary code. The flaw is classified as CWE\u2011122 (Heap-Based Buffer Overflow).", "risk_and_exploitability": "The CVSS score of 8.4 indicates high severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring an attacker to supply a specially crafted DNS response to the vulnerable DNS parser. Based on the description, it is inferred that such a response can trigger the overflow, leading to memory corruption. The absence of a public exploit suggests that the risk of exploitation is moderate to high for vulnerable deployments."}}}}, "created": "2026-03-20T08:52:45.080423+00:00", "updated": "2026-03-20T10:37:26.739693+00:00", "vendors": ["pjsip", "pjsip$PRODUCT$pjproject"]}