Unrated severityNVD Advisory· Published Feb 20, 2026· Updated Feb 20, 2026

PJSIP has a Heap-based Buffer Overflow vulnerability in its H.264 unpacketizer

CVE-2026-26967

Description

PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below, there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. The bug occurs when processing malformed SRTP packets, where the unpacketizer reads a 2-byte NAL unit size field without validating that both bytes are within the payload buffer bounds. The vulnerability affects applications that receive video using H.264. A patch is available at https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491.

Affected products

Pjsip/Pjsipllm-fuzzy
Range: <=2.16
pjsip/pjprojectv5
Range: < f821c214e52b11bae11e4cd3c7f0864538fb5491

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491mitrex_refsource_MISC
github.com/pjsip/pjproject/security/advisories/GHSA-x2hc-6969-g8v6mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000