ALPINE-CVE-2026-33069

See a problem?
Please try reporting it to the source first.
Source
https://security.alpinelinux.org/vuln/CVE-2026-33069
Import Source
https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-33069.json
JSON Data
https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-33069
Upstream
Published
2026-03-20T09:16:15.183Z
Modified
2026-06-15T18:18:11.079522635Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsipmultipartparse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17.

References

Affected packages

Alpine:v3.24 / pjproject

Package

Name
pjproject
Purl
pkg:apk/alpine/pjproject?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.17.0-r0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-33069.json"