Bug 2449446 (CVE-2026-32942)

Summary: CVE-2026-32942 PJSIP: PJSIP: Arbitrary code execution or information disclosure via race condition in ICE session handling
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in PJSIP, a multimedia communication library. A remote attacker could exploit a heap use-after-free vulnerability in the Interactive Connectivity Establishment (ICE) session. This occurs due to race conditions between session destruction and callbacks, potentially allowing for arbitrary code execution or information disclosure.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2450661, 2450662    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-20 05:02:56 UTC 
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a  heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17.