Platform
c
Component
pjsip
Fixed in
2.16.1
CVE-2026-40614 describes a buffer overflow vulnerability discovered in PJSIP, a widely used multimedia communication library. This flaw arises from inadequate buffer size validation when decoding Opus audio frames, potentially leading to a crash or, more seriously, remote code execution. The vulnerability affects versions 2.16.0 and earlier, and a fix is available in version 2.17.0.
An attacker exploiting this buffer overflow could craft a malicious Opus audio stream that, when decoded by a vulnerable PJSIP instance, overwrites adjacent memory regions. This memory corruption could allow the attacker to execute arbitrary code on the system running PJSIP, effectively gaining control. The impact is particularly severe in applications that directly process Opus audio data received from untrusted sources, such as VoIP clients, conferencing systems, or media servers. The blast radius extends to any system utilizing a vulnerable PJSIP library, potentially impacting a wide range of applications and services.
CVE-2026-40614 was publicly disclosed on 2026-04-21. Currently, there are no publicly available proof-of-concept exploits. The vulnerability has not been added to the CISA KEV catalog. Given the potential for remote code execution and the widespread use of PJSIP, it is prudent to treat this vulnerability with high priority and apply the recommended mitigation as soon as possible.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The primary mitigation for CVE-2026-40614 is to upgrade to PJSIP version 2.17.0 or later, which includes the necessary fix. If immediate upgrading is not feasible, consider implementing input validation on Opus audio streams to limit the size of decoded frames. While not a complete solution, this can reduce the risk of exploitation. WAFs or proxies can be configured to inspect Opus audio traffic for anomalies, although detecting subtle buffer overflows can be challenging. Monitor system logs for crashes or unexpected behavior related to PJSIP, which could indicate an attempted exploit.
Update to version 2.17.0 or later to mitigate the heap buffer overflow. The update corrects the insufficient buffer size validation in the Opus codec decode path, preventing data from being copied beyond the buffer boundaries.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40614 is a buffer overflow vulnerability in PJSIP versions 2.16.0 and below, allowing potential remote code execution due to insufficient buffer size validation during Opus audio frame decoding.
If you are using PJSIP version 2.16.0 or earlier, you are potentially affected by this vulnerability. Upgrade to version 2.17.0 or later to mitigate the risk.
The recommended fix is to upgrade to PJSIP version 2.17.0 or later. If upgrading is not immediately possible, implement input validation on Opus audio streams as a temporary mitigation.
As of the current disclosure date, there are no confirmed reports of active exploitation of CVE-2026-40614. However, the potential for exploitation exists given the vulnerability's nature.
Refer to the official PJSIP project website and security advisories for the latest information and updates regarding CVE-2026-40614.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.