{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33069", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.343Z", "datePublished": "2026-03-20T08:21:51.442Z", "dateUpdated": "2026-03-20T08:21:51.442Z"}, "containers": {"cna": {"title": "PJSIP has an Out-of-bounds Read in SIP multipart parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pjsip/pjproject/security/advisories/GHSA-x5pq-qrp4-fmrj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-x5pq-qrp4-fmrj"}, {"name": "https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db", "tags": ["x_refsource_MISC"], "url": "https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db"}], "affected": [{"vendor": "pjsip", "product": "pjproject", "versions": [{"version": "< 2.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:21:51.442Z"}, "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17."}], "source": {"advisory": "GHSA-x5pq-qrp4-fmrj", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17."}], "id": "CVE-2026-33069", "lastModified": "2026-03-20T09:16:15.183", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-20T09:16:15.183", "references": [{"source": "[email protected]", "url": "https://github.com/pjsip/pjproject/commit/f0fa32a226df5f87a9903093e5d145ebb69734db"}, {"source": "[email protected]", "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-x5pq-qrp4-fmrj"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T09:22:41.250572+00:00", "value": {"mitigation_remediation": ["Upgrade PJSIP to version 2.17 or newer to eliminate the vulnerability."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure via Out-of-Bounds Read"}, "threat_synthesis": {"affected_systems": "Vendors and products affected include the PJSIP library (pjproject). All versions 2.16 and earlier are potentially vulnerable because they lack the necessary boundary validation. Applications that receive SIP messages containing multipart or SDP content should be examined to confirm whether they are using a vulnerable PJSIP version.", "description_and_impact": "An out-of-bounds heap read occurs in the pjsip_multipart_parse() function of PJSIP when parsing SIP multipart bodies. After boundary string matching, the internal pointer is advanced beyond the delimiter without verifying it has not reached the end of the buffer, allowing 1\u20132 adjacent heap bytes to be read. This weakness may expose sensitive data that resides in adjacent memory, falling under CWE-125.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate severity vulnerability. While the EPSS score is not available, the lack of inclusion in the KEV catalog suggests that it has not yet been widely exploited. An attacker can potentially trigger the read by sending a specially crafted SIP message over the network; no elevated privileges are required. The impact is limited to reading a few bytes of adjacent memory, which still poses an information disclosure risk if the adjacent data is sensitive."}}}}, "created": "2026-03-20T10:36:37.397656+00:00", "updated": "2026-03-20T10:36:37.397682+00:00", "vendors": []}