CVE-2026-42225

UNKNOWN 0.0

GnuTLS backend silently skips certificate chain verification when verify_peer is false

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS transport (sip_transport_tls) can accept connections with invalid or untrusted certificates even when the application explicitly enables certificate verification via verify_server = PJ_TRUE or verify_client = PJ_TRUE. This issue has been patched in version 2.17.

CWE	CWE-295
Vendor	pjsip
Product	pjproject
Published	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for pjsip pjproject

Be the first to know when new unknown vulnerabilities affecting pjsip pjproject are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

pjsip / pjproject

< 2.17

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/pjsip/pjproject/security/advisories/GHSA-x2fv-6j6c-pxmx github.com: https://github.com/pjsip/pjproject/commit/ef684252bb62b0716675b6e99ad7fe4c90e28920 github.com: https://github.com/pjsip/pjproject/releases/tag/2.17