CVE-2026-34235 Overview
CVE-2026-34235 is an Out-of-Bounds Read vulnerability affecting PJSIP, a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds checking on the payload descriptor length may cause reads beyond the allocated RTP payload buffer.
Critical Impact
Attackers can exploit this vulnerability remotely by sending crafted VP9 RTP packets, potentially causing information disclosure or denial of service through memory access violations.
Affected Products
- PJSIP versions prior to 2.17
- Applications using PJSIP's VP9 codec functionality
- VoIP and multimedia communication systems built on PJSIP
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-34235 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34235
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-bounds Read), occurring in PJSIP's VP9 RTP packetization handling code. The flaw resides in the vpx_packetizer.c file where the VP9 Scalability Structure (SS) data is parsed from incoming RTP packets.
When processing VP9 RTP payloads, the unpacketizer examines flags in the payload descriptor to determine the presence of optional fields. Specifically, when the Y bit (0x10) is set, indicating that each spatial layer's frame resolution is present, the code increments the descriptor length by N_S * 4 bytes. However, prior to the patch, no validation was performed to ensure this calculated descriptor length remained within the bounds of the actual payload buffer.
An attacker can craft a malicious VP9 RTP packet with specific flag combinations that cause the descriptor length calculation to exceed the payload length, resulting in heap memory being read beyond the allocated buffer boundaries.
Root Cause
The root cause is insufficient bounds checking in the VP9 payload descriptor parsing logic. When the Y flag is set in the Scalability Structure, the code adds to the descriptor length without verifying that the resulting value does not exceed payload_len. This allows subsequent code to read memory outside the allocated RTP payload buffer, potentially exposing sensitive heap data or causing application crashes.
Attack Vector
The vulnerability is network-accessible, requiring no authentication or user interaction to exploit. An attacker can send specially crafted VP9 RTP packets to a vulnerable PJSIP-based application. The attack leverages the Scalability Structure parsing by setting specific flags (Y bit) with controlled N_S values to trigger the out-of-bounds read condition.
INC_DESC_LEN();
/* Y: Each spatial layer's frame resolution present. */
- if (*q & 0x10) desc_len += N_S * 4;
+ if (*q & 0x10) {
+ desc_len += N_S * 4;
+ if (desc_len >= payload_len)
+ return PJ_ETOOSMALL;
+ }
/* G: PG description present flag. */
if (*q & 0x8) {
Source: GitHub Commit Update
Detection Methods for CVE-2026-34235
Indicators of Compromise
- Unusual VP9 RTP packets with malformed Scalability Structure data
- Application crashes or unexpected termination in PJSIP-based services
- Memory access violations logged in system crash dumps or error logs
- Anomalous RTP traffic patterns targeting VP9 codec endpoints
Detection Strategies
- Monitor for VP9 RTP packets with suspicious payload descriptor flags, particularly those with the Y bit (0x10) set
- Implement network intrusion detection rules for malformed VP9 RTP payloads with abnormal descriptor lengths
- Deploy application-level logging to capture VP9 unpacketizer errors and PJ_ETOOSMALL return codes
- Use memory sanitizers (ASan, MSan) in development and testing environments to detect out-of-bounds reads
Monitoring Recommendations
- Enable verbose logging for PJSIP media codec operations to track VP9 processing anomalies
- Implement RTP packet inspection at network boundaries to identify crafted payloads
- Monitor application memory usage patterns for signs of heap corruption or unexpected memory access
- Set up alerting for repeated VP9 decoding failures that may indicate exploitation attempts
How to Mitigate CVE-2026-34235
Immediate Actions Required
- Upgrade PJSIP to version 2.17 or later which contains the security patch
- If upgrading is not immediately possible, disable the VP9 codec in your PJSIP configuration
- Audit systems using PJSIP to identify all affected deployments
- Review network logs for any potential exploitation attempts prior to patching
Patch Information
The vulnerability has been patched in PJSIP version 2.17. The fix adds proper bounds checking after calculating the descriptor length when the Y flag is present, returning PJ_ETOOSMALL if the descriptor length would exceed the payload length. The patch is available in commit f4c7d08211da1fe2ad1504434a0ad99d12aa7536. For detailed patch information, see the GitHub Security Advisory.
Workarounds
- Disable the VP9 codec in PJSIP configuration if it is not required for your use case
- Implement network-level filtering to block malformed VP9 RTP packets at the perimeter
- Use application firewalls or deep packet inspection to validate RTP payload structures
- Consider restricting RTP communication to trusted endpoints only
# Configuration example - Disable VP9 codec in PJSIP
# In your pjsip configuration, disable VP9 by removing it from the codec list
# or explicitly disabling it in codec configuration:
# pjsua command line example:
pjsua --dis-codec=VP9
# Or in pjsua2 Python:
# codec_param = ep.codecGetParam("VP9")
# codec_param.priority = 0
# ep.codecSetParam("VP9", codec_param)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
