CVE-2026-25994 Overview
A buffer overflow vulnerability has been identified in PJSIP, a free and open source multimedia communication library written in C. The vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames. PJSIP is widely used in VoIP applications, SIP user agents, and real-time communication systems, making this vulnerability particularly concerning for organizations relying on multimedia communication infrastructure.
Critical Impact
Remote attackers can exploit this buffer overflow vulnerability via network-accessible ICE session handling, potentially achieving code execution or causing denial of service in applications using PJSIP versions 2.16 and earlier.
Affected Products
- PJSIP version 2.16 and earlier
- Applications utilizing PJNATH component for ICE session handling
- VoIP and SIP-based communication systems using vulnerable PJSIP versions
Discovery Timeline
- 2026-02-11 - CVE-2026-25994 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2026-25994
Vulnerability Analysis
This vulnerability is classified as CWE-120 (Buffer Copy without Checking Size of Input), commonly known as a Classic Buffer Overflow. The flaw resides in the ICE session credential processing component of PJNATH, where a fixed-size buffer is used to store username data without adequate bounds checking.
The vulnerable code uses a statically allocated 128-byte buffer (char buf[128]) to store username credentials during ICE session establishment. When an attacker supplies a username exceeding this buffer size, the overflow can corrupt adjacent memory, potentially leading to arbitrary code execution or application crashes.
The network-accessible nature of the ICE protocol means this vulnerability can be triggered remotely without authentication, significantly increasing its risk profile for internet-facing VoIP systems.
Root Cause
The root cause is improper input validation in the ice_session.c file within the PJNATH component. The original implementation allocated a fixed 128-byte buffer for username storage without implementing adequate size checks before copying user-supplied credential data. This classic buffer overflow pattern allows attackers to overflow the stack buffer by providing usernames longer than the allocated space.
Attack Vector
An attacker can exploit this vulnerability by initiating an ICE session with a maliciously crafted username that exceeds 128 bytes. The attack can be performed remotely over the network without requiring authentication or user interaction. The ICE protocol is commonly exposed in VoIP and real-time communication applications, providing a direct attack surface.
The exploitation sequence involves:
- Establishing a connection to a target application using PJSIP
- Initiating ICE session negotiation
- Supplying credentials with an oversized username field
- Triggering the buffer overflow in ice_session.c
const pj_ice_sess_cand rem_cand[])
{
pj_ice_sess_checklist *clist;
- char buf[128];
+ enum { MAX_USERNAME_LEN = 512 };
+ char buf[MAX_USERNAME_LEN];
pj_str_t username;
timer_data *td;
pj_status_t status;
Source: GitHub Commit Update
Detection Methods for CVE-2026-25994
Indicators of Compromise
- Abnormally large ICE session credential exchanges in network traffic
- Application crashes or unexpected termination of PJSIP-based services
- Stack corruption errors in VoIP application logs
- Memory access violations in processes using PJNATH libraries
Detection Strategies
- Monitor network traffic for ICE STUN/TURN packets with unusually large username attributes exceeding 128 bytes
- Implement deep packet inspection rules for SIP and ICE protocol anomalies
- Deploy application-level logging to capture credential processing failures
- Use memory protection mechanisms (ASLR, stack canaries) to detect exploitation attempts
Monitoring Recommendations
- Enable verbose logging in PJSIP applications to capture ICE session events
- Configure network intrusion detection systems (IDS) to alert on oversized ICE credentials
- Monitor system logs for segmentation faults in VoIP-related processes
- Implement real-time alerting for unexpected PJSIP process restarts
How to Mitigate CVE-2026-25994
Immediate Actions Required
- Upgrade PJSIP to the latest patched version that includes commit 063b3a155f163cc5a9a1df2c56b6720fd3a0dbb0
- Audit all applications and services that depend on PJSIP or PJNATH libraries
- Review network firewall rules to limit exposure of ICE/STUN/TURN services
- Implement input validation at the application layer as defense in depth
Patch Information
The vulnerability has been addressed in the PJSIP project through commit 063b3a15. The fix increases the username buffer size from 128 bytes to 512 bytes by introducing a MAX_USERNAME_LEN constant. Organizations should apply this patch immediately or upgrade to a PJSIP version that includes this fix.
For detailed security information, refer to the GitHub Security Advisory GHSA-j29p-pvh2-pvqp.
Workarounds
- Deploy network-level filtering to reject ICE packets with username attributes exceeding 128 bytes
- Implement a reverse proxy or SIP gateway that validates credential sizes before forwarding to PJSIP applications
- Enable compiler protections (stack canaries, ASLR) when building PJSIP from source
- Consider network segmentation to isolate VoIP infrastructure from untrusted networks
# Configuration example
# Rebuild PJSIP with security hardening flags
./configure --enable-security-hardening
make dep && make clean && make
# Verify the patched version is installed
strings libpjnath.so | grep MAX_USERNAME_LEN
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
