ALPINE-CVE-2026-34235

See a problem?
Please try reporting it to the source first.

Source

https://security.alpinelinux.org/vuln/CVE-2026-34235

Import Source

https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-34235.json

JSON Data

https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-34235

Upstream

CVE-2026-34235

Published

2026-03-31T16:16:32.767Z

Modified

2026-06-15T18:18:11.203109717Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator

Summary

[none]

Details

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds checking on the payload descriptor length may cause reads beyond the allocated RTP payload buffer. This issue has been patched in version 2.17. A workaround for this issue involves disabling VP9 codec if not needed.

References

https://security.alpinelinux.org/vuln/CVE-2026-34235

Affected packages

Alpine:v3.24 / pjproject

Package

Name: pjproject
Purl: pkg:apk/alpine/pjproject?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.17.0-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-34235.json"