High severity7.5NVD Advisory· Published Apr 24, 2026· Updated Apr 28, 2026

CVE-2026-41416

Description

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an integer overflow in media stream buffer size calculation when processing SDP with asymmetric ptime configuration. The overflow may result in an undersized buffer allocation, which can lead to unexpected application termination or memory corruption This vulnerability is fixed in 2.17.

Affected products

Pjsip/Pjsip
cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*
Range: <2.17

Patches

66fe416c96e9

Fixed potential ptime integer overflow calculation in audio stream (#4843)

https://github.com/pjsip/pjprojectsauwmingMar 10, 2026via nvd-ref

commit

1 file changed · +1 −1

pjmedia/src/pjmedia/stream.c+1 −1 modified

@@ -2078,7 +2078,7 @@ PJ_DEF(pj_status_t) pjmedia_stream_create( pjmedia_endpt *endpt,
         ptime <<= 1;
 
         /* Allocate buffer */
-        stream->enc_buf_size = afd->clock_rate * ptime / 1000 / 1000;
+        stream->enc_buf_size = ptime / 1000 * afd->clock_rate / 1000;
         c_strm->enc_buf = (pj_int16_t*)
                           pj_pool_alloc(pool, stream->enc_buf_size * 2);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/pjsip/pjproject/commit/66fe416c96e957417621b7be16e9e587d159f9bbnvdPatch
github.com/pjsip/pjproject/security/advisories/GHSA-f33g-8hjq-62xrnvdPatchVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000