CVE-2026-33069

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33069

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33069.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33069

Aliases

GHSA-x5pq-qrp4-fmrj

Downstream

DEBIAN-CVE-2026-33069

UBUNTU-CVE-2026-33069

Published

2026-03-20T08:21:51.442Z

Modified

2026-04-12T20:14:08.874509Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

PJSIP has an Out-of-bounds Read in SIP multipart parsing

Details

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsipmultipartparse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33069.json",
    "cwe_ids": [
        "CWE-125"
    ]
}

References

Affected packages

Git / github.com/pjsip/pjproject

Affected ranges

Type: GIT
Repo: https://github.com/pjsip/pjproject
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f0fa32a226df5f87a9903093e5d145ebb69734db

Affected versions

2.*

2.10

2.11

2.12

2.13

2.14

2.15

2.16

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33069.json"

vanir_signatures

[
    {
        "digest": {
            "length": 2969.0,
            "function_hash": "123205827714274932144245302518385269151"
        },
        "id": "CVE-2026-33069-ad923eee",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db",
        "target": {
            "function": "pjsip_multipart_parse",
            "file": "pjsip/src/pjsip/sip_multipart.c"
        }
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "134044676583217943454598443276617719614",
                "303646513679113037996350760100224114913",
                "248241896929292608451972580239669740460",
                "7520940601554478535836548953415834297",
                "13468779921630372455326048551359390585",
                "19245269068278446451926832921333274340",
                "32223931369750358319564163136753212491",
                "275756017434893165973269118243202851245",
                "46102958946110448036384887442966385532"
            ]
        },
        "id": "CVE-2026-33069-d7b63033",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db",
        "target": {
            "file": "pjsip/src/pjsip/sip_multipart.c"
        }
    }
]

vanir_signatures_modified

"2026-04-12T20:14:08Z"