DEBIAN-CVE-2026-33069

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-33069

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33069.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-33069

Upstream

CVE-2026-33069

Published

2026-03-20T09:16:15.183Z

Modified

2026-04-22T16:32:14.815658Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsipmultipartparse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17.

References

https://security-tracker.debian.org/tracker/CVE-2026-33069

Affected packages

Debian:11 / asterisk

Package

Name: asterisk
Purl: pkg:deb/debian/asterisk?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:16.*

1:16.16.1~dfsg-1

1:16.16.1~dfsg-1+deb11u1~bpo10+1

1:16.16.1~dfsg-1+deb11u1

1:16.16.1~dfsg-2

1:16.16.1~dfsg-3

1:16.16.1~dfsg-4

1:16.16.1~dfsg+~2.10-1

1:16.16.1~dfsg+~2.10-2

1:16.23.0~dfsg+~2.10-1

1:16.23.0~dfsg+~cs6.10.20220309-1

1:16.23.0~dfsg+~cs6.10.20220309-2

1:16.23.0~dfsg+~cs6.10.40431411-1

1:16.28.0~dfsg-0+deb11u1

1:16.28.0~dfsg-0+deb11u2

1:16.28.0~dfsg-0+deb11u3

1:16.28.0~dfsg-0+deb11u4

1:16.28.0~dfsg-0+deb11u5

1:16.28.0~dfsg-0+deb11u6

1:16.28.0~dfsg-0+deb11u7

1:16.28.0~dfsg-0+deb11u8

1:16.28.0~dfsg-0+deb11u9

1:18.*

1:18.9.0~dfsg+~cs6.10.40431411-1

1:18.10.0~dfsg+~cs6.10.40431411-1

1:18.10.0~dfsg+~cs6.10.40431411-2

1:18.10.1~dfsg+~cs6.10.40431411-1

1:18.11.1~dfsg+~cs6.10.40431413-1

1:18.11.2~dfsg+~cs6.10.40431413-1

1:18.12.0~dfsg+~cs6.12.40431413-1

1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1

1:18.14.0~dfsg+~cs6.12.40431414-1

1:20.*

1:20.0.0~~rc1~dfsg+~cs6.12.40431414-1

1:20.0.0~~rc2~dfsg+~cs6.12.40431414-1

1:20.0.0~dfsg+~cs6.12.40431414-1

1:20.0.0~dfsg+~cs6.12.40431414-2

1:20.0.1~dfsg+~cs6.12.40431414-1

1:20.1.0~~rc2~dfsg+~cs6.12.40431414-1

1:20.1.0~dfsg+~cs6.12.40431414-1

1:20.2.1~dfsg+~cs6.13.40431413-1

1:20.3.0~dfsg+~cs6.13.40431413-1

1:20.4.0~dfsg+~cs6.13.40431414-1

1:20.4.0~dfsg+~cs6.13.40431414-2

1:20.5.0~dfsg+~cs6.13.40431414-1

1:20.5.1~dfsg+~cs6.13.40431414-1

1:20.5.2~dfsg+~cs6.13.40431414-1

1:20.6.0~dfsg+~cs6.13.40431414-1

1:20.6.0~dfsg+~cs6.13.40431414-2

1:20.8.1~dfsg+~cs6.14.40431414-1

1:20.9.3~dfsg+~cs6.14.60671435-1

1:22.*

1:22.0.0~~rc2~dfsg+~cs6.14.60671435-1

1:22.0.0~dfsg+~cs6.14.60671435-1

1:22.1.0~dfsg+~cs6.14.60671435-1

1:22.1.1~dfsg+~cs6.14.60671435-1

1:22.2.0~dfsg+~cs6.15.60671435-1

1:22.2.0~dfsg+~cs6.15.60671435-2

1:22.3.0~~rc1~dfsg+~cs6.15.60671435-1

1:22.3.0~dfsg+~cs6.15.60671435-1

1:22.4.1~dfsg+~cs6.15.60671435-1

1:22.4.1~dfsg+~cs6.15.60671435-2

1:22.5.1~dfsg+~cs6.15.60671435-1

1:22.5.2~dfsg+~cs6.15.60671435-1

1:22.6.0~dfsg+~cs6.15.60671435-1

1:22.7.0~dfsg+~cs6.15.60671435-1

1:22.8.0+dfsg+~cs6.15.60671435-1

1:22.8.2+dfsg+~cs6.15.60671435-1

1:22.9.0+dfsg+~cs6.16.60671434-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33069.json"