{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32945", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.283Z", "datePublished": "2026-03-20T03:54:00.813Z", "dateUpdated": "2026-03-20T14:28:15.761Z"}, "containers": {"cna": {"title": "PJSIP is vulnerable to Heap-based Buffer Overflow through DNS parser", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pjsip/pjproject/security/advisories/GHSA-jr2p-p2w4-rr9q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-jr2p-p2w4-rr9q"}, {"name": "https://github.com/pjsip/pjproject/commit/5311aee398ae9d623829a6bad7b679a193c9e199", "tags": ["x_refsource_MISC"], "url": "https://github.com/pjsip/pjproject/commit/5311aee398ae9d623829a6bad7b679a193c9e199"}], "affected": [{"vendor": "pjsip", "product": "pjproject", "versions": [{"version": "< 2.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T03:54:00.813Z"}, "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who rely on the OS resolver (e.g., getaddrinfo()) by not configuring a nameserver, or those using an external resolver via pjsip_resolver_set_ext_resolver(). This issue is fixed in version 2.17. For users unable to upgrade, a workaround is to disable DNS resolution in the PJSIP config (by setting nameserver_count to zero) or to use an external resolver implementation instead."}], "source": {"advisory": "GHSA-jr2p-p2w4-rr9q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T14:28:08.596350Z", "id": "CVE-2026-32945", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:28:15.761Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32945", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T14:28:08.596350Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:28:12.755Z"}}], "cna": {"title": "PJSIP is vulnerable to Heap-based Buffer Overflow through DNS parser", "source": {"advisory": "GHSA-jr2p-p2w4-rr9q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pjsip", "product": "pjproject", "versions": [{"status": "affected", "version": "< 2.17"}]}], "references": [{"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-jr2p-p2w4-rr9q", "name": "https://github.com/pjsip/pjproject/security/advisories/GHSA-jr2p-p2w4-rr9q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pjsip/pjproject/commit/5311aee398ae9d623829a6bad7b679a193c9e199", "name": "https://github.com/pjsip/pjproject/commit/5311aee398ae9d623829a6bad7b679a193c9e199", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who rely on the OS resolver (e.g., getaddrinfo()) by not configuring a nameserver, or those using an external resolver via pjsip_resolver_set_ext_resolver(). This issue is fixed in version 2.17. For users unable to upgrade, a workaround is to disable DNS resolution in the PJSIP config (by setting nameserver_count to zero) or to use an external resolver implementation instead."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T03:54:00.813Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32945", "state": "PUBLISHED", "dateUpdated": "2026-03-20T14:28:15.761Z", "dateReserved": "2026-03-17T00:05:53.283Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T03:54:00.813Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*", "matchCriteriaId": "117AFEC4-36E1-424F-B2A3-6EC94FBBDF38", "versionEndExcluding": "2.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who rely on the OS resolver (e.g., getaddrinfo()) by not configuring a nameserver, or those using an external resolver via pjsip_resolver_set_ext_resolver(). This issue is fixed in version 2.17. For users unable to upgrade, a workaround is to disable DNS resolution in the PJSIP config (by setting nameserver_count to zero) or to use an external resolver implementation instead."}, {"lang": "es", "value": "PJSIP es una biblioteca de comunicaci\u00f3n multimedia de c\u00f3digo abierto y gratuita escrita en C. Las versiones 2.16 e inferiores tienen una vulnerabilidad de desbordamiento de b\u00fafer basado en mont\u00f3n (Heap-based Buffer Overflow) en el gestor de longitud de nombre del analizador DNS. Esto afecta a las aplicaciones que utilizan el resolvedor DNS integrado de PJSIP, como aquellas configuradas con pjsua_config.nameserver o UaConfig.nameserver en PJSUA/PJSUA2. No afecta a los usuarios que dependen del resolvedor del sistema operativo (por ejemplo, getaddrinfo()) al no configurar un servidor de nombres, o a aquellos que utilizan un resolvedor externo a trav\u00e9s de pjsip_resolver_set_ext_resolver(). Este problema est\u00e1 solucionado en la versi\u00f3n 2.17. Para los usuarios que no pueden actualizar, una soluci\u00f3n alternativa es deshabilitar la resoluci\u00f3n DNS en la configuraci\u00f3n de PJSIP (estableciendo nameserver_count en cero) o utilizar una implementaci\u00f3n de resolvedor externo en su lugar."}], "id": "CVE-2026-32945", "lastModified": "2026-03-23T20:54:34.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T04:16:49.927", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pjsip/pjproject/commit/5311aee398ae9d623829a6bad7b679a193c9e199"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-jr2p-p2w4-rr9q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.17)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pjproject", "source": "cna", "vendor": "pjsip"}, "product": "pjproject", "vendor": "pjsip"}], "analysis": {"en": {"generated_at": "2026-03-20T05:50:58.212274+00:00", "value": {"mitigation_remediation": ["Upgrade PJSIP to version 2.17 or later", "If upgrade is not possible, disable DNS resolution in the PJSIP configuration by setting nameserver_count to zero", "Alternatively, use an external resolver implementation via pjsip_resolver_set_ext_resolver()", "Monitor the vendor\u2019s website for additional patches or updates"], "summary": {"action": "Immediate Patch", "impact": "Heap-based Buffer Overflow leading to memory corruption"}, "threat_synthesis": {"affected_systems": "Affected versions are pjsip:pjproject 2.16 and earlier. Applications that use PJSIP\u2019s built\u2011in DNS resolver\u2014configured via pjsua_config.nameserver or UaConfig.nameserver\u2014are impacted. Systems that rely on the OS resolver (e.g., leaving nameserver empty) or those that use an external resolver via pjsip_resolver_set_ext_resolver() are not affected.", "description_and_impact": "The vulnerability resides in PJSIP\u2019s DNS parser name\u2011length handling and results in a heap\u2011based buffer overflow, which can corrupt memory and potentially allow an attacker to cause a crash or execute arbitrary code. The flaw is classified as CWE\u2011122 (Heap-Based Buffer Overflow).", "risk_and_exploitability": "The CVSS score of 8.4 indicates high severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring an attacker to supply a specially crafted DNS response to the vulnerable DNS parser. Based on the description, it is inferred that such a response can trigger the overflow, leading to memory corruption. The absence of a public exploit suggests that the risk of exploitation is moderate to high for vulnerable deployments."}}}}, "created": "2026-03-20T08:52:45.080423+00:00", "updated": "2026-03-20T10:37:26.739693+00:00", "vendors": ["pjsip", "pjsip$PRODUCT$pjproject"]}