2449569 – (CVE-2026-33069) CVE-2026-33069 PJSIP: PJSIP: Information disclosure vulnerability in SIP message processing

Bug 2449569 (CVE-2026-33069) - CVE-2026-33069 PJSIP: PJSIP: Information disclosure vulnerability in SIP message processing

Summary: CVE-2026-33069 PJSIP: PJSIP: Information disclosure vulnerability in SIP mess...

Keywords:
Status:	NEW
Alias:	CVE-2026-33069
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2449705 2449708
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-20 09:03 UTC by OSIDB Bzimport
Modified:	2026-03-20 19:02 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-20 09:03:11 UTC

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17.

Note You need to log in before you can comment on or make changes to this bug.