CVE-2026-26967 Overview
CVE-2026-26967 is a critical Heap-based Buffer Overflow vulnerability affecting PJSIP, a free and open source multimedia communication library written in C. The vulnerability exists in PJSIP's H.264 unpacketizer component and occurs when processing malformed SRTP packets. The unpacketizer incorrectly reads a 2-byte NAL unit size field without validating that both bytes are within the payload buffer bounds, leading to potential memory corruption.
This vulnerability affects all applications that receive video using H.264 through PJSIP versions 2.16 and below. Given the widespread use of PJSIP in VoIP applications, video conferencing systems, and SIP-based communication platforms, this vulnerability poses a significant risk to enterprise communications infrastructure.
Critical Impact
Remote attackers can send specially crafted SRTP packets to trigger a heap-based buffer overflow, potentially leading to remote code execution or denial of service in applications using PJSIP for H.264 video communication.
Affected Products
- PJSIP versions 2.16 and below
- Applications using PJSIP's H.264 video codec functionality
- VoIP and video conferencing systems built on PJSIP
Discovery Timeline
- 2026-02-20 - CVE-2026-26967 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-26967
Vulnerability Analysis
The vulnerability resides in the H.264 packetizer module (h264_packetizer.c) within PJSIP's media codec handling. When processing incoming SRTP packets containing H.264 video data, the unpacketizer parses NAL (Network Abstraction Layer) units to reconstruct video frames. The core issue stems from insufficient boundary validation when reading the 2-byte NAL unit size field from the payload buffer.
In the vulnerable code path, the unpacketizer iterates through the payload buffer to extract NAL units. While it performs some boundary checks against the payload end pointer (p_end), it fails to verify that the destination buffer (q) has sufficient space for the 2-byte read operation before accessing the NAL unit size. This allows an attacker to craft a malicious SRTP packet that causes the unpacketizer to read beyond allocated buffer boundaries.
Root Cause
The root cause is a missing boundary check in the H.264 unpacketizer's packet processing loop. The original code verified that the source pointer plus the NAL start code length didn't exceed the payload end, but neglected to validate that the destination buffer had at least 2 bytes available for the NAL unit size field read operation. This is classified as CWE-122 (Heap-based Buffer Overflow).
Attack Vector
The attack can be executed remotely over the network without any authentication or user interaction. An attacker would need to:
- Target an application using PJSIP with H.264 video enabled
- Establish or inject into an RTP/SRTP session
- Send malformed SRTP packets with crafted NAL unit structures
- Trigger the buffer overflow during H.264 frame reconstruction
The network-based attack vector makes this particularly dangerous for internet-facing VoIP and video conferencing applications.
while (q < q_end && p < p_end) {
pj_uint16_t tmp_nal_size;
- if (p + pktz->cfg.unpack_nal_start > p_end)
+ if (p + pktz->cfg.unpack_nal_start > p_end || q + 2 > q_end)
return PJ_EINVAL;
/* Write NAL unit start code */
Source: GitHub Commit
The patch adds an additional boundary check (q + 2 > q_end) to ensure the destination buffer has sufficient space before reading the 2-byte NAL unit size field, preventing the heap overflow condition.
Detection Methods for CVE-2026-26967
Indicators of Compromise
- Unexpected crashes or segmentation faults in PJSIP-based applications during video calls
- Anomalous SRTP packets with malformed H.264 NAL unit structures
- Memory corruption errors in application logs related to h264_packetizer.c
- Unusual heap allocation patterns during RTP session handling
Detection Strategies
- Deploy network intrusion detection signatures for malformed H.264 NAL unit packets in RTP/SRTP streams
- Monitor application crash dumps for stack traces involving h264_packetizer.c or NAL unit processing functions
- Implement deep packet inspection for RTP payloads with invalid NAL unit size fields
- Use memory sanitizers (ASan, MSan) during development and testing to detect heap overflows
Monitoring Recommendations
- Enable verbose logging for PJSIP media codec operations to capture packet processing errors
- Monitor for repeated PJ_EINVAL return codes from H.264 unpacketizer functions
- Set up alerts for application restarts or crashes during active video sessions
- Track RTP session statistics for abnormal packet rejection rates
How to Mitigate CVE-2026-26967
Immediate Actions Required
- Update PJSIP to the latest patched version that includes commit f821c214e52b11bae11e4cd3c7f0864538fb5491
- Review all applications using PJSIP for H.264 video functionality and prioritize patching
- Consider temporarily disabling H.264 video codec support if patching is not immediately feasible
- Implement network-level filtering to block suspicious RTP/SRTP traffic from untrusted sources
Patch Information
A security patch is available from the PJSIP project. The fix is contained in commit f821c214e52b11bae11e4cd3c7f0864538fb5491 which adds proper boundary validation before reading NAL unit size fields. Organizations should apply this patch by updating to a PJSIP version that includes this fix.
For detailed information about the vulnerability and patch, refer to:
Workarounds
- Disable H.264 video codec in PJSIP configuration and use alternative codecs (VP8, VP9) until patching is complete
- Restrict video functionality to trusted network segments only
- Deploy web application firewalls or network security appliances capable of inspecting RTP payload structures
- Implement strict input validation at the application layer before passing data to PJSIP
# Configuration example - Disable H.264 codec in PJSIP
# In pjsip configuration, remove or comment out H.264 codec registration
# Example for pjsua2 applications:
# accountConfig.videoConfig.enabled = false
# Or disable specific codec:
# pjsua_vid_codec_set_priority("H264", 0)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
