CVE-2026-26203 Overview
CVE-2026-26203 is a heap buffer underflow vulnerability in PJSIP's H.264 packetizer component. PJSIP is a widely-used free and open source multimedia communication library that provides support for VoIP, video calling, and other real-time communication features. This vulnerability affects versions prior to 2.17 and occurs when processing malformed H.264 bitstreams without NAL (Network Abstraction Layer) unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located before the allocated buffer.
Critical Impact
Attackers exploiting this vulnerability could potentially trigger out-of-bounds memory reads by supplying crafted H.264 video streams, leading to information disclosure or application crashes in multimedia communication applications.
Affected Products
- PJSIP versions prior to 2.17
- Applications and services built on PJSIP multimedia library
- VoIP and video communication solutions utilizing PJSIP
Discovery Timeline
- 2026-02-19 - CVE CVE-2026-26203 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26203
Vulnerability Analysis
This vulnerability is classified as a heap buffer underflow (CWE-416) in the H.264 packetizer component of PJSIP. The issue manifests in the h264_packetizer.c file where the packetizer processes fragmented NAL units. When handling continuation fragments (not the first fragment), the code retrieves the NRI (NAL Reference IDC) and NAL unit type from a previous fragment by performing pointer arithmetic: p = nal_start - pktz->cfg.mtu.
The root problem is that this subtraction was performed without verifying that nal_start points to a location at least mtu bytes into the buffer. When processing malformed H.264 bitstreams that lack proper NAL unit start codes, this unchecked arithmetic could result in the pointer p pointing to memory before the allocated buffer, causing a heap buffer underflow condition when the code subsequently reads from this invalid memory location.
Root Cause
The root cause is improper bounds checking in the H.264 fragmentation handling logic. The packetizer assumes that when processing non-first fragments, the nal_start pointer is positioned sufficiently far into the buffer to safely subtract the MTU size. However, malformed input streams can violate this assumption, leading to pointer arithmetic that results in accessing memory outside the allocated buffer boundaries.
Attack Vector
The attack vector requires local access to supply malformed H.264 video content to an application using the vulnerable PJSIP library. An attacker would craft a malicious H.264 bitstream specifically designed to trigger the vulnerable code path by:
- Creating an H.264 stream that enters the fragmentation handling code without proper NAL unit start codes
- Manipulating the stream state to reach the continuation fragment processing branch
- Triggering the unsafe pointer subtraction when nal_start is positioned too close to the buffer start
The following patch demonstrates the fix implemented in version 2.17:
/* Not the first fragment, get NRI and NAL unit type
* from the previous fragment.
*/
/* Verify nal_start */
if (nal_start < buf + pktz->cfg.mtu) {
PJ_LOG(2,(THIS_FILE,
"Bad H.264 fragmentation state at pos=%u", *pos));
return PJ_EINVAL;
}
p = nal_start - pktz->cfg.mtu;
NRI = (*p & 0x60) >> 5;
TYPE = *(p+1) & 0x1F;
/* Check fragmentation indication */
if ((*(p) & 0x1F) != NAL_TYPE_FU_A) {
PJ_LOG(2,(THIS_FILE,
"Bad H.264 fragmentation state at pos=%u", *pos));
return PJ_EINVAL;
}
}
/* Init FU indicator (one octet: F+NRI+TYPE) */
Source: GitHub Commit
Detection Methods for CVE-2026-26203
Indicators of Compromise
- Unexpected application crashes in VoIP or video communication applications using PJSIP
- Abnormal memory access patterns or segmentation faults during H.264 video processing
- Error logs indicating H.264 fragmentation state issues or invalid NAL unit handling
Detection Strategies
- Monitor for applications using PJSIP versions prior to 2.17 through software inventory scanning
- Implement runtime memory protection tools (ASAN, Valgrind) in development environments to detect out-of-bounds memory access
- Deploy application-level crash monitoring to detect exploitation attempts targeting multimedia processing
Monitoring Recommendations
- Enable verbose logging in PJSIP-based applications to capture H.264 packetizer errors
- Monitor system logs for abnormal termination of VoIP/video applications
- Use endpoint detection solutions to identify unusual memory access patterns in multimedia applications
How to Mitigate CVE-2026-26203
Immediate Actions Required
- Upgrade PJSIP to version 2.17 or later which contains the security patch
- Audit all applications and services using PJSIP library for vulnerable versions
- Review and test any custom H.264 video input handling in affected deployments
Patch Information
The vulnerability has been addressed in PJSIP version 2.17. The fix adds proper bounds checking before performing pointer arithmetic in the H.264 packetizer's fragmentation handling code. The patch verifies that nal_start is at least mtu bytes from the buffer start before subtracting, and also validates that the previous fragment contains the expected FU-A (Fragmentation Unit type A) NAL unit type indicator. For detailed patch information, refer to the GitHub Security Advisory GHSA-p965-mf7j-gwv8.
Workarounds
- Restrict video input sources to trusted origins until patching is complete
- Implement input validation at the application layer to reject malformed H.264 streams before they reach PJSIP
- Consider disabling H.264 codec support temporarily if not required for operations
# Check PJSIP version in your deployment
pjsip-apps/bin/pjsua --help | grep -i version
# Update PJSIP from source to version 2.17+
git clone https://github.com/pjsip/pjproject.git
cd pjproject
git checkout 2.17
./configure && make dep && make
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
