CVE-2026-26967

UNKNOWN 0.0

PJSIP has a Heap-based Buffer Overflow vulnerability in its H.264 unpacketizer

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below, there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. The bug occurs when processing malformed SRTP packets, where the unpacketizer reads a 2-byte NAL unit size field without validating that both bytes are within the payload buffer bounds. The vulnerability affects applications that receive video using H.264. A patch is available at https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491.

CWE	CWE-122
Vendor	pjsip
Product	pjproject
Published	Feb 20, 2026
Last Updated	Feb 20, 2026

Stay Ahead of the Next One

Get instant alerts for pjsip pjproject

Be the first to know when new unknown vulnerabilities affecting pjsip pjproject are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

pjsip / pjproject

< f821c214e52b11bae11e4cd3c7f0864538fb5491

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/pjsip/pjproject/security/advisories/GHSA-x2hc-6969-g8v6 github.com: https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491