CVE-2026-26203

NameCVE-2026-26203
DescriptionPJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1134884

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)bullseye1:16.28.0~dfsg-0+deb11u4vulnerable
bullseye (security)1:16.28.0~dfsg-0+deb11u9vulnerable
sid1:22.9.0+dfsg+~cs6.16.60671434-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksource(unstable)(unfixed)1134884
pjprojectsource(unstable)(unfixed)

Notes

https://github.com/pjsip/pjproject/security/advisories/GHSA-p965-mf7j-gwv8
Fixed by: https://github.com/pjsip/pjproject/commit/5aee54f09d4f91538d55279d7316591b28fded6c
Search for package or bug name: Reporting problems