Heap Buffer Overflow in PJPROJECT 2.16 (CVE‑2026‑25994) Enables Remote Code Execution in SIP Services
What Happened – A heap‑based buffer overflow was discovered in the ICE session handling code of PJPROJECT ≤ 2.16 (CVE‑2026‑25994). By sending a malicious SIP INVITE with an over‑long ice‑ufrag attribute (≈ 130 bytes or more), an attacker can overwrite the stack and achieve remote code execution. A fully functional PoC script has been published on Exploit‑DB.
Why It Matters for TPRM –
- The vulnerability resides in a widely‑used open‑source VoIP library; any third‑party product that bundles PJPROJECT is potentially exploitable.
- Successful exploitation can lead to service disruption, credential theft, or full system compromise of critical communications infrastructure.
- Public exploit code lowers the barrier for opportunistic attackers, increasing the likelihood of real‑world incidents.
Who Is Affected – Telecom operators, contact‑center platforms, unified‑communication SaaS providers, and any organization that integrates PJPROJECT (or derivatives) into its voice‑over‑IP stack.
Recommended Actions –
- Verify the version of PJPROJECT used by all vendors and internal services; upgrade to 2.17 or later where the overflow is patched.
- Conduct a dependency audit to identify transitive libraries that may embed vulnerable PJPROJECT code.
- Apply network‑level SIP hardening (e.g., rate‑limit INVITE messages, enforce SDP attribute length checks) as a temporary mitigation.
Technical Notes – The overflow occurs in pj_ice_sess_create_check_list() where username.ptr points to a 128‑byte stack buffer that receives rem_ufrag without length validation. An attacker can supply a ice‑ufrag of ≥ 130 bytes, causing a stack overflow; the PoC uses 520 ‘A’s to reliably corrupt the return address. The issue is classified as a heap buffer overflow (CVE‑2026‑25994) affecting multiple Linux distributions (Kali, Ubuntu, Debian). Source: https://www.exploit-db.com/exploits/52561