CVE-2025-65102 Overview
CVE-2025-65102 affects PJSIP, an open source multimedia communication library widely used in Voice over IP (VoIP) applications. The flaw resides in the Opus Packet Loss Concealment (PLC) handling, where the decoder may zero-fill the input frame based on the decoder ptime while the actual input frame length is derived from the stream ptime. When these values diverge, the operation writes beyond the allocated buffer. The issue impacts PJSIP deployments using the Opus audio codec for receiving audio. Exploitation results in unexpected application termination through memory overwrite. The maintainers patched the issue in version 2.16.
Critical Impact
Remote attackers can trigger a memory overwrite in PJSIP-based VoIP applications using the Opus codec, leading to process termination and denial of service over the network without authentication.
Affected Products
- PJSIP (pjproject) versions prior to 2.16
- VoIP applications and SIP clients linking the PJSIP library with Opus codec support
- Embedded communication stacks that consume PJSIP for real-time audio
Discovery Timeline
- 2025-11-21 - CVE-2025-65102 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-65102
Vulnerability Analysis
The vulnerability is a buffer overflow [CWE-120] in the Opus decoder path of PJSIP's media handling. PJSIP allocates the input frame buffer based on the negotiated stream ptime (packetization time). When packet loss occurs, the Opus PLC logic zero-fills the input frame using the decoder's own ptime value. If the decoder ptime exceeds the stream ptime, the zero-fill operation writes past the end of the allocated frame buffer. The resulting memory corruption crashes the host process, producing a denial-of-service condition affecting audio reception.
Root Cause
The defect originates in pjmedia/src/pjmedia-codec/opus.c within the Opus decode routine. The function calculates the zero-fill length from the decoder configuration rather than validating it against the actual size of the input frame buffer. This boundary mismatch between two independent ptime values is the root cause of the out-of-bounds write.
Attack Vector
An unauthenticated remote attacker establishes or participates in a SIP session with a target PJSIP-based endpoint negotiating the Opus codec. By manipulating stream parameters or inducing packet loss conditions that force PLC activation, the attacker triggers the mismatched zero-fill. No user interaction is required beyond accepting or processing the inbound media stream.
pjmedia_frame *inframe;
int frm_size;
- PJ_UNUSED_ARG(output_buf_len);
pj_mutex_lock (opus_data->mutex);
if (opus_data->dec_frame_index == -1) {
Source: PJSIP Opus codec patch commit. The patch removes the PJ_UNUSED_ARG(output_buf_len) macro, signaling that the decoder now consumes the output buffer length parameter to bound the zero-fill operation rather than ignoring it.
Detection Methods for CVE-2025-65102
Indicators of Compromise
- Unexpected crashes or segmentation faults in processes linking PJSIP with Opus codec support
- Repeated SIP session terminations correlated with Opus-negotiated media streams
- Core dumps showing fault addresses inside or adjacent to pjmedia-codec/opus.c decoder routines
Detection Strategies
- Inventory binaries linking libpjmedia and verify the PJSIP version string against 2.16
- Inspect SIP/SDP traffic for Opus codec negotiation paired with unusual ptime attribute values
- Correlate VoIP application crash telemetry with active Opus RTP sessions and packet-loss events
Monitoring Recommendations
- Enable verbose PJSIP logging at the media transport layer to capture decoder state at the time of crash
- Track process restart counts on SIP gateways, softphones, and PBX hosts
- Monitor RTP streams for abnormal packet loss patterns that consistently precede service interruptions
How to Mitigate CVE-2025-65102
Immediate Actions Required
- Upgrade PJSIP (pjproject) to version 2.16 or later across all dependent applications
- Rebuild and redeploy any third-party software statically linking vulnerable PJSIP builds
- Audit SIP-facing services for exposure to untrusted networks and restrict access where feasible
Patch Information
The fix is included in PJSIP 2.16. Review the PJSIP Security Advisory GHSA-w5vr-39x7-h8g5 and the upstream patch commit for technical details. The corrected decoder honors output_buf_len when performing PLC zero-fill, preventing writes beyond the allocated frame buffer.
Workarounds
- Disable the Opus codec in PJSIP configuration and negotiate alternative codecs such as G.711 or G.722 until patches are deployed
- Restrict inbound SIP signaling to trusted peers using firewall rules or session border controller policies
- Align decoder and stream ptime configuration values where the codec stack permits explicit tuning
# Disable Opus codec registration in PJSIP-based applications
# Example for pjsua-based clients
pjsua_codec_set_priority(pj_str("opus/48000/2"), PJMEDIA_CODEC_PRIO_DISABLED);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
