Critical severity9.8NVD Advisory· Published Apr 21, 2026· Updated Apr 23, 2026

CVE-2026-40892

Description

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when using pre-computed digest credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential data using cred_info->data.slen as the length without an upper-bound check, which can overflow the fixed-size ha1 stack buffer (128 bytes) if data.slen exceeds the expected digest string length.

Affected products

Pjsip/Pjsip
cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*
Range: <2.17

Patches

c82123ea6f3c

Fix stack buffer overflow in pjsip_auth_create_digest2() (#4912)

https://github.com/pjsip/pjprojectNanang IzzuddinApr 13, 2026via nvd-ref

commit

1 file changed · +1 −1

pjsip/src/pjsip/sip_auth_client.c+1 −1 modified

@@ -382,7 +382,7 @@ PJ_DEF(pj_status_t) pjsip_auth_create_digest2( pj_str_t *result,
     } else {
         AUTH_TRACE_((THIS_FILE, " Using pre computed digest for %.*s digest",
                 (int)algorithm->iana_name.slen, algorithm->iana_name.ptr));
-        pj_memcpy( ha1, cred_info->data.ptr, cred_info->data.slen );
+        pj_memcpy( ha1, cred_info->data.ptr, digest_strlen );
     }
 
     AUTH_TRACE_((THIS_FILE, " ha1=%.*s", algorithm->digest_str_length, ha1));

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

github.com/pjsip/pjproject/commit/c82123ea6f3c3652bbc9ebd5e9e658c301451687nvdPatch
github.com/pjsip/pjproject/security/advisories/GHSA-2wcg-w3c4-48r7nvdMitigationPatchVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000