CVE-2025-65102 Overview
CVE-2025-65102 affects PJSIP, a free and open source multimedia communication library used in Voice over IP (VoIP) and real-time communication applications. The vulnerability resides in the Opus Packet Loss Concealment (PLC) handling logic of the Opus audio codec decoder. Prior to version 2.16, the PLC routine may zero-fill the input frame using the decoder ptime, while the actual input frame length, derived from the stream ptime, can be smaller. This length mismatch produces an out-of-bounds memory write [CWE-120] that can terminate the application unexpectedly. The issue affects PJSIP deployments that use the Opus codec in the receiving direction.
Critical Impact
A remote peer sending Opus audio frames with mismatched ptime values can trigger a memory overwrite that crashes the receiving PJSIP application, causing denial of service for VoIP endpoints, softphones, and PBX systems.
Affected Products
- PJSIP (pjproject) versions prior to 2.16
- Applications embedding PJSIP with Opus codec receive support enabled
- VoIP clients, softphones, and SIP gateways built on the PJSIP stack
Discovery Timeline
- 2025-11-21 - CVE-2025-65102 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-65102
Vulnerability Analysis
The defect resides in pjmedia/src/pjmedia-codec/opus.c, which implements the Opus codec wrapper for PJSIP. When the decoder loses a packet, it invokes Packet Loss Concealment to synthesize a replacement frame. The PLC code path zero-fills an input buffer using a length derived from the decoder ptime (packet time). However, the frame buffer actually allocated for the stream is sized according to the stream ptime, which may be shorter than the decoder ptime. The mismatch causes the zero-fill operation to write past the end of the allocated input frame, corrupting adjacent memory and producing a classic buffer overflow condition tracked as [CWE-120].
Root Cause
The root cause is an unchecked length assumption between two related but distinct timing parameters. The decoder ptime represents the codec-side frame duration, while stream ptime represents the duration negotiated for the actual RTP stream. The original code treats them as interchangeable when zero-filling the input frame. When stream_ptime < decoder_ptime, the write extends beyond the buffer boundary.
Attack Vector
An attacker reaches the vulnerable code path by establishing a SIP session that negotiates the Opus codec and then sending RTP traffic that induces packet loss or ptime mismatches on the receiving side. No authentication or user interaction is required because the codec is exercised during normal call setup and media flow. Successful exploitation results in process termination on the receiving PJSIP application.
pjmedia_frame *inframe;
int frm_size;
- PJ_UNUSED_ARG(output_buf_len);
pj_mutex_lock (opus_data->mutex);
if (opus_data->dec_frame_index == -1) {
Source: PJSIP patch commit 6e9bd2e
The upstream patch removes the PJ_UNUSED_ARG(output_buf_len) macro and uses output_buf_len to bound the zero-fill operation, preventing writes beyond the allocated input frame.
Detection Methods for CVE-2025-65102
Indicators of Compromise
- Unexpected crashes or segmentation faults in processes linking against libpjmedia or libpjproject while handling Opus RTP streams
- Core dumps showing stack traces inside pjmedia-codec/opus.c PLC routines
- SIP session logs that show Opus codec negotiation followed by abrupt media termination
- Repeated re-registration or restart events on VoIP endpoints after receiving calls from untrusted peers
Detection Strategies
- Inventory all applications and appliances that embed PJSIP and identify the linked version through binary inspection or package metadata
- Inspect SIP signaling for SDP offers advertising Opus with non-standard or mismatched ptime and maxptime attributes
- Correlate VoIP service restarts with inbound RTP flows from external networks to identify probable exploitation attempts
Monitoring Recommendations
- Forward PJSIP application logs, crash reports, and SIP proxy logs to a centralized analytics pipeline for retention and search
- Alert on repeated abnormal terminations of softphone or PBX processes within short time windows
- Monitor RTP session statistics for unusual packet loss patterns immediately preceding media process crashes
How to Mitigate CVE-2025-65102
Immediate Actions Required
- Upgrade PJSIP to version 2.16 or later in all affected applications, appliances, and SDK integrations
- Rebuild and redistribute downstream products that statically link against vulnerable PJSIP versions
- Restrict inbound SIP and RTP traffic to trusted peers using session border controllers or firewall ACLs until patches are deployed
Patch Information
The issue is fixed in PJSIP version 2.16. The corrective change is available in commit 6e9bd2e7d25bba26f852771b40693f45da14fa8f and documented in the PJSIP GHSA-w5vr-39x7-h8g5 advisory. The patch ensures the PLC zero-fill operation is bounded by the actual output buffer length.
Workarounds
- Disable the Opus codec in PJSIP-based applications and negotiate alternative codecs such as G.711 or G.722 until the upgrade is complete
- Terminate inbound media at a session border controller that transcodes Opus to another codec before forwarding to vulnerable endpoints
- Apply strict SIP peering policies and authentication to limit exposure to untrusted callers
# Verify the linked PJSIP version on Linux systems
strings /usr/lib/libpjproject.so* | grep -i "pjproject\|pjsip" | head
pkg-config --modversion libpjproject
# Build PJSIP 2.16 from source with Opus support
git clone https://github.com/pjsip/pjproject.git
cd pjproject
git checkout 2.16
./configure --with-opus
make dep && make && sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

