UBUNTU-CVE-2026-33069

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-33069
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33069.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-33069
Upstream
Published
2026-03-20T09:16:00Z
Modified
2026-04-22T16:31:07.182437Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsipmultipartparse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17.

References

Affected packages

Ubuntu:Pro:16.04:LTS / pjproject

Package

Name
pjproject
Purl
pkg:deb/ubuntu/pjproject@2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1?arch=source&distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.1.0.0.ast20130823-1
2.1.0.0.ast20130823-1+deb8u1build0.16.04.1
2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1",
            "binary_name": "libpj2"
        },
        {
            "binary_version": "2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1",
            "binary_name": "libpjlib-util2"
        },
        {
            "binary_version": "2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1",
            "binary_name": "libpjmedia-audiodev2"
        },
        {
            "binary_version": "2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1",
            "binary_name": "libpjmedia-codec2"
        },
        {
            "binary_version": "2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1",
            "binary_name": "libpjmedia-videodev2"
        },
        {
            "binary_version": "2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1",
            "binary_name": "libpjmedia2"
        },
        {
            "binary_version": "2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1",
            "binary_name": "libpjnath2"
        },
        {
            "binary_version": "2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1",
            "binary_name": "libpjsip-simple2"
        },
        {
            "binary_version": "2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1",
            "binary_name": "libpjsip-ua2"
        },
        {
            "binary_version": "2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1",
            "binary_name": "libpjsip2"
        },
        {
            "binary_version": "2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1",
            "binary_name": "libpjsua2"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33069.json"

Ubuntu:Pro:18.04:LTS / pjproject

Package

Name
pjproject
Purl
pkg:deb/ubuntu/pjproject@2.7.2~dfsg-1ubuntu0.1~esm1?arch=source&distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.6~dfsg-2
2.7~dfsg-1
2.7.1~dfsg-1
2.7.1~dfsg-1build1
2.7.2~dfsg-1
2.7.2~dfsg-1ubuntu0.1~esm1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "2.7.2~dfsg-1ubuntu0.1~esm1",
            "binary_name": "libpj2"
        },
        {
            "binary_version": "2.7.2~dfsg-1ubuntu0.1~esm1",
            "binary_name": "libpjlib-util2"
        },
        {
            "binary_version": "2.7.2~dfsg-1ubuntu0.1~esm1",
            "binary_name": "libpjmedia-audiodev2"
        },
        {
            "binary_version": "2.7.2~dfsg-1ubuntu0.1~esm1",
            "binary_name": "libpjmedia-codec2"
        },
        {
            "binary_version": "2.7.2~dfsg-1ubuntu0.1~esm1",
            "binary_name": "libpjmedia-videodev2"
        },
        {
            "binary_version": "2.7.2~dfsg-1ubuntu0.1~esm1",
            "binary_name": "libpjmedia2"
        },
        {
            "binary_version": "2.7.2~dfsg-1ubuntu0.1~esm1",
            "binary_name": "libpjnath2"
        },
        {
            "binary_version": "2.7.2~dfsg-1ubuntu0.1~esm1",
            "binary_name": "libpjsip-simple2"
        },
        {
            "binary_version": "2.7.2~dfsg-1ubuntu0.1~esm1",
            "binary_name": "libpjsip-ua2"
        },
        {
            "binary_version": "2.7.2~dfsg-1ubuntu0.1~esm1",
            "binary_name": "libpjsip2"
        },
        {
            "binary_version": "2.7.2~dfsg-1ubuntu0.1~esm1",
            "binary_name": "libpjsua2"
        },
        {
            "binary_version": "2.7.2~dfsg-1ubuntu0.1~esm1",
            "binary_name": "libpjsua2-2v5"
        },
        {
            "binary_version": "2.7.2~dfsg-1ubuntu0.1~esm1",
            "binary_name": "python-pjproject"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33069.json"