CVE-2026-42225

Source
https://cve.org/CVERecord?id=CVE-2026-42225
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42225.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42225
Aliases
  • GHSA-x2fv-6j6c-pxmx
Downstream
Published
2026-05-07T18:47:26.563Z
Modified
2026-07-15T01:49:12.744624745Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
GnuTLS backend silently skips certificate chain verification when verify_peer is false
Details

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS transport (siptransporttls) can accept connections with invalid or untrusted certificates even when the application explicitly enables certificate verification via verifyserver = PJTRUE or verifyclient = PJTRUE. This issue has been patched in version 2.17.

Database specific
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42225.json",
    "cwe_ids": [
        "CWE-295"
    ]
}
References

Affected packages

Git / github.com/pjsip/pjproject

Affected ranges

Type
GIT
Repo
https://github.com/pjsip/pjproject
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.17"
        }
    ]
}

Affected versions

2.*
2.10
2.11
2.12
2.13
2.14
2.15
2.16

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42225.json"