CVE-2022-24786
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-24786
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24786.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-24786
- Aliases
-
- GHSA-vhxv-phmx-g52q
- Downstream
- Published
- 2022-04-06T00:00:00Z
- Modified
- 2025-10-22T18:28:10.719255Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Potential out-of-bound read/write in PJSIP
- Details
-
PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any app that directly uses pjmediartcpfbparserpsi() will be affected. A patch is available in the
masterbranch of thepjsip/pjprojectGitHub repository. There are currently no known workarounds. - Database specific
{ "cwe_ids": [ "CWE-125", "CWE-787" ] }- References
-
- https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q
- https://security.gentoo.org/glsa/202210-37
- https://www.debian.org/security/2022/dsa-5285
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508
Affected packages
Git / github.com/pjsip/pjproject
Affected ranges
- Type
- GIT
- Repo
- https://github.com/pjsip/pjproject
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
vanir_signatures
[
{
"source": "https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508",
"target": {
"file": "pjmedia/include/pjmedia/rtcp.h"
},
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2022-24786-21e440aa",
"signature_version": "v1",
"digest": {
"line_hashes": [
"165995524492436826008003506642633984663",
"133677705103140688164641498824501451838",
"259416313368328582248717219098280088060",
"275042734431304601182449312341257355525",
"315017238303910129215355466154252445143",
"9785129354242514087666748086975513146",
"248520022701370530477136390898768636120"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508",
"target": {
"function": "pjmedia_rtcp_fb_build_pli",
"file": "pjmedia/src/pjmedia/rtcp_fb.c"
},
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2022-24786-4317ab18",
"signature_version": "v1",
"digest": {
"function_hash": "168063144898134625731881996357407537201",
"length": 435.0
}
},
{
"source": "https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508",
"target": {
"file": "pjmedia/src/pjmedia/rtcp.c"
},
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2022-24786-4f5aff4c",
"signature_version": "v1",
"digest": {
"line_hashes": [
"964439388615226985698997407795386987",
"50204984969835633399775829997712536506",
"287918432622299211532943669813028585746"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508",
"target": {
"function": "pjmedia_rtcp_fb_build_rpsi",
"file": "pjmedia/src/pjmedia/rtcp_fb.c"
},
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2022-24786-51f68369",
"signature_version": "v1",
"digest": {
"function_hash": "244933196571783332507735174379855200381",
"length": 966.0
}
},
{
"source": "https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508",
"target": {
"function": "pjmedia_rtcp_fb_parse_pli",
"file": "pjmedia/src/pjmedia/rtcp_fb.c"
},
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2022-24786-5d60ad9b",
"signature_version": "v1",
"digest": {
"function_hash": "59107664360155524107031641192224396246",
"length": 250.0
}
},
{
"source": "https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508",
"target": {
"function": "pjmedia_rtcp_fb_build_sli",
"file": "pjmedia/src/pjmedia/rtcp_fb.c"
},
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2022-24786-638bee8d",
"signature_version": "v1",
"digest": {
"function_hash": "93656797793835204070577170656320131103",
"length": 984.0
}
},
{
"source": "https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508",
"target": {
"file": "pjmedia/src/pjmedia/rtcp_fb.c"
},
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2022-24786-8255df86",
"signature_version": "v1",
"digest": {
"line_hashes": [
"136240410088742296705772047800924144113",
"35442197088114250396656572578836334293",
"154075623763773457904980524318011815154",
"310665599734495266714031996795508787941",
"20179806556529709960762190055534847972",
"286700084851521208817823206610639115158",
"153034554123646571854937932715094792321",
"193381654561696936814996422841026129395",
"295365524326838692769138613687159632374",
"133165721604424386706341832039652350306",
"205858442581220285236514813248029197027",
"224031328614288986786483434243885895843",
"225917394875965150333199247254367621830",
"42501037523490756143726121001884561741",
"28210177212912202399789278425357354588",
"167397670088549371046139874051247622116",
"145962196915257114290432251413077897036",
"286700084851521208817823206610639115158",
"83075158924538489746533858654680690773",
"267283128907408447487385435212071058441",
"74106037376466198152252078134084687130",
"206198154095985401271778245773402750938",
"177961226039933892190784664596357570023",
"126335141843718667944072786677383531973",
"308444220955209496626806896612295352260",
"60305106090579602383548546653814353306",
"154075623763773457904980524318011815154",
"256784159461056105686596780602508110211",
"152262539895184772015022753487278489179",
"286700084851521208817823206610639115158",
"83075158924538489746533858654680690773",
"74336809394835436916014339320823966656",
"86410367365705577388299692240936726545",
"117389644708177543473052186783748971628",
"293610155405813823430055057381672445073",
"116179316978520165863042174586841248431",
"97715746124691174704740611419846357540",
"98811835161896908310663488871526223014",
"67465692442535808179433388336991932499",
"251143790466576814367938593725222714062",
"172091639621107861454168400088597082465",
"286700084851521208817823206610639115158",
"83075158924538489746533858654680690773",
"232965584444940678591961809518722867232",
"255177946821926364215325558766644456195",
"317666151878657392766173717557113868539",
"242043878000380821669380951326917176034",
"88102791677473570263706675981717826430",
"147938607712757035528560182097947771368",
"328488060198175468068437065936278431635",
"20847772060190969428936463205045867795",
"169158891931712598715147489688037706513",
"87087974366565370710644087313906301788",
"23367499136104938575096810792606253902",
"266837714915104584616569252580949862045",
"132639941295466046424930411403920946578",
"135857654446051656955626178117893656433",
"71920202491829298080420304535402815330",
"85776037159513251487851203824788478834",
"340206066551304017674915033169997853941",
"20295337275857860672113840226532542218",
"23520211397829419137984170724560079581",
"98318046599372351793048424203211655592",
"164186401215260677572221986200585268890",
"237923781342697461932095293702794514670",
"299494282303633696341558179651167312851",
"191276864308108881242200122031726004091",
"49876967754635265282810827432417734185",
"210913656831397099295104940631373593618",
"20847772060190969428936463205045867795",
"237763291743957568030476749733476397643",
"135297353339173716328236429376019108947",
"134137191368526952044242400584346595457",
"96947463441960904297764255525743595957",
"38703457680190538870662133001516326373",
"150709128243431570115596014354477175679",
"97264480108296867183066344461584939808",
"4958508832244408298917208618408159898",
"91009573975692615513105659138803952645",
"339429807016937708142727521954260297841",
"82049557908742157110539712658294716172",
"175502204172754850583098750892740561980",
"206616321930301122192270845340883930514",
"334404824076899210639135511173190382166",
"303529409535329389777347661363692782417",
"127591588950595382850822244686233348561",
"214358625509582564936212787588501455635",
"264755995101009325106516356812634981167",
"195230002423061672805434853229851594352",
"70624981739514977603439647510245136091",
"166098654200228914341568687469717937880",
"152076907751928020243350104974567975118",
"109044972446898133726937146502002462155",
"275910609831731129721579009494165084402"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508",
"target": {
"function": "pjmedia_rtcp_fb_parse_nack",
"file": "pjmedia/src/pjmedia/rtcp_fb.c"
},
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2022-24786-8e063512",
"signature_version": "v1",
"digest": {
"function_hash": "212353346985565153226716986469422583976",
"length": 805.0
}
},
{
"source": "https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508",
"target": {
"function": "pjmedia_rtcp_fb_parse_rpsi",
"file": "pjmedia/src/pjmedia/rtcp_fb.c"
},
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2022-24786-980d9c4b",
"signature_version": "v1",
"digest": {
"function_hash": "307157754031175078101402685271114253889",
"length": 658.0
}
},
{
"source": "https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508",
"target": {
"function": "pjmedia_rtcp_fb_parse_sli",
"file": "pjmedia/src/pjmedia/rtcp_fb.c"
},
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2022-24786-aba8afa7",
"signature_version": "v1",
"digest": {
"function_hash": "73868422228055501526843496509143267213",
"length": 844.0
}
},
{
"source": "https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508",
"target": {
"function": "pjmedia_rtcp_fb_build_nack",
"file": "pjmedia/src/pjmedia/rtcp_fb.c"
},
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2022-24786-cb7ef3d2",
"signature_version": "v1",
"digest": {
"function_hash": "316162260467219681407781952138856336526",
"length": 803.0
}
},
{
"source": "https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508",
"target": {
"function": "pjmedia_rtcp_init2",
"file": "pjmedia/src/pjmedia/rtcp.c"
},
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2022-24786-cf4afce2",
"signature_version": "v1",
"digest": {
"function_hash": "281464819933803757277780384086131965126",
"length": 934.0
}
}
]