CVE-2026-32945 Overview
CVE-2026-32945 is a high-severity heap-based buffer overflow vulnerability discovered in PJSIP, a free and open source multimedia communication library written in C. The vulnerability exists in the DNS parser's name length handler, which can be exploited by attackers to cause memory corruption when processing malicious DNS responses.
This vulnerability specifically impacts applications that use PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. Organizations using PJSIP for VoIP, video conferencing, and other real-time communication applications should prioritize remediation.
Critical Impact
Network-based attackers can exploit the heap-based buffer overflow in the DNS parser to potentially achieve remote code execution or cause denial of service on systems using PJSIP's built-in DNS resolver.
Affected Products
- PJSIP versions 2.16 and below
- Applications using PJSUA/PJSUA2 with configured nameserver settings
- Systems using pjsua_config.nameserver or UaConfig.nameserver
Discovery Timeline
- 2026-03-20 - CVE-2026-32945 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32945
Vulnerability Analysis
The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow), which occurs when a program writes data beyond the boundaries of heap-allocated memory. In this case, the flaw resides in the DNS parser component of PJSIP, specifically in the handling of DNS name lengths.
When processing DNS responses, the parser fails to properly validate the length of DNS names before copying data to heap-allocated buffers. This improper bounds checking allows an attacker to craft malicious DNS responses that trigger memory corruption when parsed by the vulnerable application.
The vulnerability is exploitable over the network without requiring authentication or user interaction, though exploitation complexity is considered high due to the need for attackers to intercept or manipulate DNS traffic.
Root Cause
The root cause of CVE-2026-32945 is improper input validation in the DNS name length handler. The parser does not adequately verify that the declared length of DNS names in incoming responses matches the actual buffer size allocated for storage. This mismatch allows for heap memory corruption when oversized or malformed DNS name data is processed.
Applications that do not configure a nameserver (relying on OS-level resolution via getaddrinfo()) or those using an external resolver through pjsip_resolver_set_ext_resolver() are not affected by this vulnerability.
Attack Vector
The attack vector is network-based, requiring the attacker to be in a position to deliver malicious DNS responses to the target application. This could be achieved through:
- DNS spoofing or cache poisoning attacks
- Man-in-the-middle positioning on the network path
- Compromised DNS infrastructure
The vulnerability manifests in the DNS name parsing routine when handling responses. An attacker can craft a malicious DNS response with oversized name length fields that, when processed by the vulnerable parser, cause heap buffer overflow. This can lead to memory corruption, potential arbitrary code execution, or application crashes resulting in denial of service.
For detailed technical information about the exploitation mechanics, see the GitHub Security Advisory.
Detection Methods for CVE-2026-32945
Indicators of Compromise
- Unusual DNS query/response patterns involving VoIP or SIP-related services
- Application crashes or segmentation faults in PJSIP-based applications
- Unexpected heap memory corruption errors in process logs
- Anomalous DNS traffic targeting systems running PJSIP with built-in resolver
Detection Strategies
- Monitor for abnormal DNS response sizes, particularly those with oversized name fields
- Deploy intrusion detection rules to identify malformed DNS packets targeting PJSIP applications
- Implement memory corruption detection tools (such as AddressSanitizer) in development and testing environments
- Review application logs for PJSIP DNS resolver errors or unexpected terminations
Monitoring Recommendations
- Enable verbose logging for PJSIP DNS resolution activities
- Monitor network traffic for DNS responses with anomalous name length values
- Implement network-level monitoring for DNS traffic to/from SIP/VoIP infrastructure
- Track process stability metrics for applications using PJSIP libraries
How to Mitigate CVE-2026-32945
Immediate Actions Required
- Upgrade PJSIP to version 2.17 or later, which contains the security fix
- Audit all applications and systems using PJSIP to identify those with built-in DNS resolver configurations
- Disable the built-in DNS resolver by setting nameserver_count to zero as an interim measure
- Consider implementing an external resolver via pjsip_resolver_set_ext_resolver() as an alternative
Patch Information
The vulnerability has been fixed in PJSIP version 2.17. The security patch is available through the GitHub commit 5311aee398ae9d623829a6bad7b679a193c9e199. Organizations should update their PJSIP installations to the patched version as soon as possible.
Additional details and the official security advisory can be found at the GitHub Security Advisory GHSA-jr2p-p2w4-rr9q.
Workarounds
- Disable DNS resolution in PJSIP configuration by setting nameserver_count to zero
- Configure applications to use OS-level DNS resolution via getaddrinfo() instead of the built-in resolver
- Implement an external resolver using pjsip_resolver_set_ext_resolver() to bypass the vulnerable code path
- Deploy network-level protections such as DNSSEC validation to reduce the risk of malicious DNS responses
# Example PJSIP configuration to disable built-in DNS resolver
# In pjsua_config initialization:
# cfg.nameserver_count = 0;
# Or configure external resolver in application code
# pjsip_resolver_set_ext_resolver(resolver, &ext_resolver);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
