Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32945

CVE-2026-32945: PJSIP Buffer Overflow Vulnerability

CVE-2026-32945 is a heap-based buffer overflow in PJSIP's DNS parser affecting versions 2.16 and below. This flaw impacts applications using PJSIP's built-in DNS resolver. Learn about technical details, impact, and mitigation.

Published:

CVE-2026-32945 Overview

CVE-2026-32945 is a high-severity heap-based buffer overflow vulnerability discovered in PJSIP, a free and open source multimedia communication library written in C. The vulnerability exists in the DNS parser's name length handler, which can be exploited by attackers to cause memory corruption when processing malicious DNS responses.

This vulnerability specifically impacts applications that use PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. Organizations using PJSIP for VoIP, video conferencing, and other real-time communication applications should prioritize remediation.

Critical Impact

Network-based attackers can exploit the heap-based buffer overflow in the DNS parser to potentially achieve remote code execution or cause denial of service on systems using PJSIP's built-in DNS resolver.

Affected Products

  • PJSIP versions 2.16 and below
  • Applications using PJSUA/PJSUA2 with configured nameserver settings
  • Systems using pjsua_config.nameserver or UaConfig.nameserver

Discovery Timeline

  • 2026-03-20 - CVE-2026-32945 published to NVD
  • 2026-03-23 - Last updated in NVD database

Technical Details for CVE-2026-32945

Vulnerability Analysis

The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow), which occurs when a program writes data beyond the boundaries of heap-allocated memory. In this case, the flaw resides in the DNS parser component of PJSIP, specifically in the handling of DNS name lengths.

When processing DNS responses, the parser fails to properly validate the length of DNS names before copying data to heap-allocated buffers. This improper bounds checking allows an attacker to craft malicious DNS responses that trigger memory corruption when parsed by the vulnerable application.

The vulnerability is exploitable over the network without requiring authentication or user interaction, though exploitation complexity is considered high due to the need for attackers to intercept or manipulate DNS traffic.

Root Cause

The root cause of CVE-2026-32945 is improper input validation in the DNS name length handler. The parser does not adequately verify that the declared length of DNS names in incoming responses matches the actual buffer size allocated for storage. This mismatch allows for heap memory corruption when oversized or malformed DNS name data is processed.

Applications that do not configure a nameserver (relying on OS-level resolution via getaddrinfo()) or those using an external resolver through pjsip_resolver_set_ext_resolver() are not affected by this vulnerability.

Attack Vector

The attack vector is network-based, requiring the attacker to be in a position to deliver malicious DNS responses to the target application. This could be achieved through:

  • DNS spoofing or cache poisoning attacks
  • Man-in-the-middle positioning on the network path
  • Compromised DNS infrastructure

The vulnerability manifests in the DNS name parsing routine when handling responses. An attacker can craft a malicious DNS response with oversized name length fields that, when processed by the vulnerable parser, cause heap buffer overflow. This can lead to memory corruption, potential arbitrary code execution, or application crashes resulting in denial of service.

For detailed technical information about the exploitation mechanics, see the GitHub Security Advisory.

Detection Methods for CVE-2026-32945

Indicators of Compromise

  • Unusual DNS query/response patterns involving VoIP or SIP-related services
  • Application crashes or segmentation faults in PJSIP-based applications
  • Unexpected heap memory corruption errors in process logs
  • Anomalous DNS traffic targeting systems running PJSIP with built-in resolver

Detection Strategies

  • Monitor for abnormal DNS response sizes, particularly those with oversized name fields
  • Deploy intrusion detection rules to identify malformed DNS packets targeting PJSIP applications
  • Implement memory corruption detection tools (such as AddressSanitizer) in development and testing environments
  • Review application logs for PJSIP DNS resolver errors or unexpected terminations

Monitoring Recommendations

  • Enable verbose logging for PJSIP DNS resolution activities
  • Monitor network traffic for DNS responses with anomalous name length values
  • Implement network-level monitoring for DNS traffic to/from SIP/VoIP infrastructure
  • Track process stability metrics for applications using PJSIP libraries

How to Mitigate CVE-2026-32945

Immediate Actions Required

  • Upgrade PJSIP to version 2.17 or later, which contains the security fix
  • Audit all applications and systems using PJSIP to identify those with built-in DNS resolver configurations
  • Disable the built-in DNS resolver by setting nameserver_count to zero as an interim measure
  • Consider implementing an external resolver via pjsip_resolver_set_ext_resolver() as an alternative

Patch Information

The vulnerability has been fixed in PJSIP version 2.17. The security patch is available through the GitHub commit 5311aee398ae9d623829a6bad7b679a193c9e199. Organizations should update their PJSIP installations to the patched version as soon as possible.

Additional details and the official security advisory can be found at the GitHub Security Advisory GHSA-jr2p-p2w4-rr9q.

Workarounds

  • Disable DNS resolution in PJSIP configuration by setting nameserver_count to zero
  • Configure applications to use OS-level DNS resolution via getaddrinfo() instead of the built-in resolver
  • Implement an external resolver using pjsip_resolver_set_ext_resolver() to bypass the vulnerable code path
  • Deploy network-level protections such as DNSSEC validation to reduce the risk of malicious DNS responses
bash
# Example PJSIP configuration to disable built-in DNS resolver
# In pjsua_config initialization:
# cfg.nameserver_count = 0;

# Or configure external resolver in application code
# pjsip_resolver_set_ext_resolver(resolver, &ext_resolver);

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.