{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33069", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.343Z", "datePublished": "2026-03-20T08:21:51.442Z", "dateUpdated": "2026-03-20T15:34:38.179Z"}, "containers": {"cna": {"title": "PJSIP has an Out-of-bounds Read in SIP multipart parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pjsip/pjproject/security/advisories/GHSA-x5pq-qrp4-fmrj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-x5pq-qrp4-fmrj"}, {"name": "https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db", "tags": ["x_refsource_MISC"], "url": "https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db"}], "affected": [{"vendor": "pjsip", "product": "pjproject", "versions": [{"version": "< 2.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:21:51.442Z"}, "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17."}], "source": {"advisory": "GHSA-x5pq-qrp4-fmrj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:34:25.569015Z", "id": "CVE-2026-33069", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:34:38.179Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33069", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T15:34:25.569015Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:34:33.579Z"}}], "cna": {"title": "PJSIP has an Out-of-bounds Read in SIP multipart parsing", "source": {"advisory": "GHSA-x5pq-qrp4-fmrj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "pjsip", "product": "pjproject", "versions": [{"status": "affected", "version": "< 2.17"}]}], "references": [{"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-x5pq-qrp4-fmrj", "name": "https://github.com/pjsip/pjproject/security/advisories/GHSA-x5pq-qrp4-fmrj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db", "name": "https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:21:51.442Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33069", "state": "PUBLISHED", "dateUpdated": "2026-03-20T15:34:38.179Z", "dateReserved": "2026-03-17T19:27:06.343Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T08:21:51.442Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*", "matchCriteriaId": "117AFEC4-36E1-424F-B2A3-6EC94FBBDF38", "versionEndExcluding": "2.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17."}, {"lang": "es", "value": "PJSIP es una biblioteca de comunicaci\u00f3n multimedia de c\u00f3digo abierto y gratuita escrita en C. Las versiones 2.16 e inferiores tienen una lectura de mont\u00edculo fuera de l\u00edmites en cascada en pjsip_multipart_parse(). Despu\u00e9s de la coincidencia de la cadena de l\u00edmite, curptr se avanza m\u00e1s all\u00e1 del delimitador sin verificar que no ha alcanzado el final del b\u00fafer. Esto permite que se lean 1-2 bytes de memoria de mont\u00edculo adyacente. Todas las aplicaciones que procesan mensajes SIP entrantes con cuerpos multipart o contenido SDP est\u00e1n potencialmente afectadas. Este problema se resuelve en la versi\u00f3n 2.17."}], "id": "CVE-2026-33069", "lastModified": "2026-03-23T15:32:13.853", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T09:16:15.183", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-x5pq-qrp4-fmrj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.17)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pjproject", "source": "cna", "vendor": "pjsip"}, "product": "pjproject", "vendor": "pjsip"}], "analysis": {"en": {"generated_at": "2026-03-20T09:22:41.250572+00:00", "value": {"mitigation_remediation": ["Upgrade PJSIP to version 2.17 or newer to eliminate the vulnerability."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure via Out-of-Bounds Read"}, "threat_synthesis": {"affected_systems": "Vendors and products affected include the PJSIP library (pjproject). All versions 2.16 and earlier are potentially vulnerable because they lack the necessary boundary validation. Applications that receive SIP messages containing multipart or SDP content should be examined to confirm whether they are using a vulnerable PJSIP version.", "description_and_impact": "An out-of-bounds heap read occurs in the pjsip_multipart_parse() function of PJSIP when parsing SIP multipart bodies. After boundary string matching, the internal pointer is advanced beyond the delimiter without verifying it has not reached the end of the buffer, allowing 1\u20132 adjacent heap bytes to be read. This weakness may expose sensitive data that resides in adjacent memory, falling under CWE-125.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate severity vulnerability. While the EPSS score is not available, the lack of inclusion in the KEV catalog suggests that it has not yet been widely exploited. An attacker can potentially trigger the read by sending a specially crafted SIP message over the network; no elevated privileges are required. The impact is limited to reading a few bytes of adjacent memory, which still poses an information disclosure risk if the adjacent data is sensitive."}}}}, "created": "2026-03-20T10:36:37.397656+00:00", "updated": "2026-03-20T16:27:43.397100+00:00", "vendors": ["pjsip", "pjsip$PRODUCT$pjproject"]}