Listen to this Post
The vulnerability CVE-2026-32945 exists within the PJSIP multimedia communication library, specifically in the DNS parser component. The flaw is a heap-based buffer overflow triggered when processing a DNS response containing a maliciously crafted name length field. When PJSIP’s built-in DNS resolver parses a domain name, it reads a length byte to determine how many bytes to copy into a heap-allocated buffer. If this length value exceeds the available space in the buffer due to improper bounds checking, a heap overflow occurs. This allows an attacker to overwrite adjacent heap metadata or other critical data structures. The affected code path is activated only when applications use PJSIP’s internal DNS resolver, typically by configuring nameservers via `pjsua_config.nameserver` or UaConfig.nameserver. Applications relying on the operating system’s resolver (e.g., getaddrinfo()) or an external resolver are not impacted. The overflow can lead to arbitrary code execution, allowing an attacker to gain complete control over the affected application. This issue is fixed in PJSIP version 2.17, where the DNS parser was updated to validate length fields before memory operations.
dailycve form:
Platform: PJSIP library
Version: 2.16 below
Vulnerability : Heap-based Buffer Overflow
Severity: Critical
date: 03/20/2026
Prediction: 04/15/2026
What Undercode Say:
Check PJSIP version pjsip --version Identify vulnerable DNS resolver usage grep -r "nameserver_count" /path/to/config Manual patch verification (before upgrade) objdump -d libpjsip.so | grep "parse_name"
Exploit:
Crafted DNS response with oversized name length triggers heap overflow during pjsip_dns_parse_name. Overwrites heap metadata to redirect execution flow to shellcode.
Protection from this CVE
Upgrade to PJSIP 2.17. If unable, disable built-in DNS resolver by setting `nameserver_count = 0` or switch to external resolver using pjsip_resolver_set_ext_resolver().
Impact:
Remote code execution via malicious DNS responses, leading to full system compromise of applications using PJSIP’s internal DNS resolver.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

