CVE-2026-32942 Overview
CVE-2026-32942 is a heap use-after-free vulnerability affecting PJSIP, a free and open source multimedia communication library written in C. The vulnerability exists in versions 2.16 and below and occurs within the ICE (Interactive Connectivity Establishment) session handling component. Race conditions between session destruction and callback execution can lead to memory corruption, potentially enabling attackers to compromise systems utilizing PJSIP for VoIP and multimedia communications.
Critical Impact
Attackers exploiting this use-after-free vulnerability via network access could achieve high confidentiality and integrity impact on affected systems running vulnerable PJSIP versions.
Affected Products
- PJSIP versions 2.16 and below
- Applications and VoIP systems built using vulnerable PJSIP library versions
- SIP softphones and communication platforms incorporating PJSIP
Discovery Timeline
- 2026-03-20 - CVE-2026-32942 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32942
Vulnerability Analysis
This use-after-free vulnerability (CWE-416) is rooted in improper memory handling within PJSIP's ICE session implementation. The ICE protocol is used for NAT traversal in peer-to-peer multimedia communications, making it a critical component for VoIP and WebRTC applications.
The vulnerability arises from race conditions that occur when an ICE session is being destroyed while callbacks associated with that session are still pending or executing. When these race conditions are triggered, the code may attempt to access memory that has already been freed, leading to undefined behavior.
Use-after-free vulnerabilities are particularly dangerous in network-facing components because they can potentially be exploited remotely to achieve code execution or cause denial of service. The network-accessible nature of this vulnerability means that attackers could potentially trigger the race condition by crafting specific sequences of ICE-related network traffic.
Root Cause
The root cause of CVE-2026-32942 is inadequate synchronization between the session destruction logic and callback handlers in the ICE session implementation. When a session is destroyed, the associated memory structures are freed, but callbacks that were scheduled or in-flight may still hold references to this memory. Without proper locking mechanisms or reference counting, these callbacks may dereference pointers to already-freed memory, resulting in heap corruption.
Attack Vector
The attack vector for this vulnerability is network-based, requiring no privileges or user interaction. An attacker could potentially exploit this vulnerability by:
- Establishing an ICE session with a vulnerable PJSIP endpoint
- Timing network traffic to trigger session destruction while callbacks are pending
- Leveraging the resulting memory corruption to influence program execution
The vulnerability can be triggered through carefully timed ICE signaling messages that induce the race condition between session teardown and callback execution. Further technical details can be found in the GitHub Security Advisory and the related GitHub Issue Discussion.
Detection Methods for CVE-2026-32942
Indicators of Compromise
- Unexpected crashes or segmentation faults in applications using PJSIP for ICE/STUN/TURN functionality
- Memory corruption errors in system logs related to PJSIP processes
- Abnormal ICE session termination patterns in VoIP traffic logs
- Core dumps indicating heap corruption in ICE-related code paths
Detection Strategies
- Monitor application logs for PJSIP-related crashes, particularly those occurring during session teardown
- Implement runtime memory sanitizers (AddressSanitizer, Valgrind) in development and testing environments to detect use-after-free conditions
- Deploy intrusion detection rules to identify unusual ICE traffic patterns that may indicate exploitation attempts
- Perform software composition analysis to identify applications using vulnerable PJSIP versions
Monitoring Recommendations
- Enable verbose logging for ICE session lifecycle events in PJSIP-based applications
- Configure crash reporting mechanisms to capture and analyze PJSIP-related crashes
- Monitor network traffic for anomalous ICE connectivity check patterns or rapid session creation/destruction sequences
- Implement SentinelOne Singularity Platform for real-time behavioral analysis of processes using PJSIP libraries
How to Mitigate CVE-2026-32942
Immediate Actions Required
- Upgrade PJSIP to version 2.17 or later, which contains the fix for this vulnerability
- Audit all applications and systems to identify those using vulnerable PJSIP versions
- Prioritize patching for internet-facing VoIP and communication services
- Review network segmentation to limit exposure of PJSIP-based services to untrusted networks
Patch Information
The PJSIP maintainers have addressed this vulnerability in version 2.17. The fix implements proper synchronization to prevent race conditions between session destruction and callback execution. The specific commit addressing this issue is available at:
Organizations should update their PJSIP installations and rebuild any applications that statically link against the library.
Workarounds
- If immediate patching is not possible, consider placing PJSIP-based services behind network firewalls with strict access controls
- Limit ICE functionality to trusted network segments where feasible
- Implement process isolation and sandboxing for applications using vulnerable PJSIP versions
- Monitor for abnormal process behavior and implement automatic restart mechanisms to maintain service availability
# Verify PJSIP version and update
# Check current PJSIP version in your application
pkg-config --modversion libpjproject
# Update PJSIP to patched version 2.17+
git clone https://github.com/pjsip/pjproject.git
cd pjproject
git checkout 2.17
./configure && make dep && make
sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
