CVE-2026-34235
PJSIP: Heap OOB read in VPX unpacketizer
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
11th
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds checking on the payload descriptor length may cause reads beyond the allocated RTP payload buffer. This issue has been patched in version 2.17. A workaround for this issue involves disabling VP9 codec if not needed.
| CWE | CWE-125 |
| Vendor | pjsip |
| Product | pjproject |
| Published | Mar 31, 2026 |
| Last Updated | Apr 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for pjsip pjproject
Be the first to know when new critical vulnerabilities affecting pjsip pjproject are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
pjsip / pjproject
< 2.17