Listen to this Post
How the mentioned CVE works:
The vulnerability resides in the ICE (Interactive Connectivity Establishment) session component of PJSIP versions 2.16 and earlier. The session object manages ICE negotiation and keeps callbacks that fire upon completion or failure of ICE operations. A race condition exists when the session is destroyed concurrently with one of these ICE callbacks being invoked. If the callback executes after the session memory has been freed, a heap use-after-free occurs. Attackers can trigger this by rapidly tearing down calls or by sending specific STUN/TURN messages that cause the ICE session to be cleaned up while a callback is still pending. The lack of proper reference counting or locking between the session destruction path and the asynchronous callback mechanism allows the callback to access already-freed structures, leading to memory corruption. This can result in denial of service, information disclosure, or remote code execution depending on how the freed memory is reused. The issue is fixed in version 2.17 by introducing robust synchronization that ensures callbacks are cancelled or ignored when the session is destroyed.
dailycve form:
Platform: PJSIP
Version: 2.16 and below
Vulnerability: Heap use-after-free
Severity: Critical
date: 2026-03-20
Prediction: Already patched 2.17
Analytics
What Undercode Say:
Check PJSIP version from installed package
pkg-config --modversion libpjproject
Alternatively, grep version in source headers
grep -r "PJ_VERSION" /usr/include/pjsip/
Detect vulnerable versions with a simple script
if [ $(pkg-config --modversion libpjproject | cut -d. -f2) -le 16 ]; then
echo "Vulnerable to CVE-2026-32942"
fi
Code snippet illustrating missing synchronization (pseudocode)
/ vulnerable code pattern /
void ice_session_destroy(session) {
free(session);
// callback still may fire later using session->data
}
Exploit:
An attacker could initiate multiple concurrent call setups and immediately tear them down while injecting STUN Binding Requests with malformed attributes. The race window is exploited to free the ICE session before its callback returns, causing the application to read/write freed heap memory. With precise heap grooming, this can lead to arbitrary code execution.
Protection from this CVE
Upgrade to PJSIP version 2.17 or later. Apply the official patch that adds reference counting and callback cancellation during session destruction. As a temporary mitigation, disable ICE if not required or use a mutex around session destruction and callback invocation in custom integrations.
Impact:
Successful exploitation can cause application crashes (denial of service), leak sensitive memory contents, or enable remote code execution in the context of the PJSIP-based application (e.g., VoIP phones, conferencing systems, media gateways).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

