CVE-2026-33069

NameCVE-2026-33069
DescriptionPJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1134884

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)bullseye1:16.28.0~dfsg-0+deb11u4vulnerable
bullseye (security)1:16.28.0~dfsg-0+deb11u9vulnerable
sid1:22.9.0+dfsg+~cs6.16.60671434-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksource(unstable)(unfixed)1134884
pjprojectsource(unstable)(unfixed)

Notes

https://github.com/pjsip/pjproject/security/advisories/GHSA-x5pq-qrp4-fmrj
https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db
Search for package or bug name: Reporting problems