Home / mailingsPDF  

[USN-8122-1] PJSIP vulnerabilities

Posted on 24 March 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8122-1
March 24, 2026

pjproject vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in PJSIP.

Software Description:
- pjproject: multimedia communication library

Details:

Youngsung Kim discovered that PJSIP did not properly parse numeric header
fields in SIP messages. A remote attacker could use this issue to cause
PJSIP to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-16872)

Peter Koletzki discovered that PJSIP did not properly handle certain
connection requests. A remote attacker could possibly use this issue to
cause PJSIP to enter an unrecoverable state and reject further connections,
resulting in a denial of service. This issue only affected Ubuntu 16.04
LTS. (CVE-2017-16875)

Alfred Farrugia, Sandro Gauci, and Kevin Harwell discovered that PJSIP did
not properly parse certain SDP messages. A remote attacker could possibly
use this issue to cause PJSIP to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS. (CVE-2018-1000098,
CVE-2018-1000099)

Lauri Vänskä discovered that PJSIP did not verify hostnames when reusing
TLS connections. If a remote attacker were able to intercept communication,
this flaw could possibly be exploited to view sensitive information.
(CVE-2020-15260)

It was discovered that PJSIP did not properly handle certain sequences of
SDP messages. A remote attacker could possibly use this issue to cause
PJSIP to crash, resulting in a denial of service. (CVE-2021-21375)

It was discovered that the SSL socket implementation in PJSIP contained a
race condition. A remote attacker could possibly use this issue to cause
PJSIP to crash, resulting in a denial of service. This issue was only
addressed in Ubuntu 18.04 LTS. (CVE-2021-32686)

It was discovered that PJSIP did not properly parse certain STUN messages.
A remote attacker could use this issue to cause PJSIP to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2021-37706)

Uriya Yavnieli discovered that PJSIP did not properly manage memory under
certain conditions. A remote attacker could use this issue to cause PJSIP
to crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,
CVE-2021-43303)

It was discovered that PJSIP did not properly manage memory when processing
ICE session credentials. A remote attacker could use this issue to cause
PJSIP to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2026-25994)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
libpj2 2.7.2~dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
libpjmedia2 2.7.2~dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
libpjnath2 2.7.2~dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
libpjsip2 2.7.2~dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
libpjsua2 2.7.2~dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
python-pjproject 2.7.2~dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 16.04 LTS
libpj2 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1
Available with Ubuntu Pro
libpjmedia2 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1
Available with Ubuntu Pro
libpjnath2 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1
Available with Ubuntu Pro
libpjsip2 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1
Available with Ubuntu Pro
libpjsua2 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8122-1
CVE-2017-16872, CVE-2017-16875, CVE-2018-1000098, CVE-2018-1000099,
CVE-2020-15260, CVE-2021-21375, CVE-2021-32686, CVE-2021-37706,
CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,
CVE-2021-43303, CVE-2026-25994

--===============0279131783747981855==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :