Medium severity5.9NVD Advisory· Published May 7, 2026· Updated May 12, 2026

CVE-2026-42225

Description

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS transport (sip_transport_tls) can accept connections with invalid or untrusted certificates even when the application explicitly enables certificate verification via verify_server = PJ_TRUE or verify_client = PJ_TRUE. This issue has been patched in version 2.17.

Affected products

Pjsip/Pjprojectreferences

Patches

ef684252bb62

Merge commit from fork

https://github.com/pjsip/pjprojectsauwmingApr 21, 2026via nvd-ref

commit

1 file changed · +10 −4

pjlib/src/pj/ssl_sock_gtls.c+10 −4 modified

@@ -313,7 +313,11 @@ static int tls_cert_verify_cb(gnutls_session_t session)
         ssock->verify_status |= PJ_SSL_CERT_EUNKNOWN;
         return GNUTLS_E_CERTIFICATE_ERROR;
     }
-    if (ssock->param.verify_peer) {
+    /* Always map GnuTLS chain-trust flags into ssock->verify_status so that
+     * upper layers (e.g. sip_transport_tls, which sets verify_peer=PJ_FALSE
+     * and enforces certificate policy itself) can inspect the result.
+     * Aborting the handshake immediately is only done when verify_peer is
+     * set at the SSL-socket level. */
     if (status & GNUTLS_CERT_INVALID) {
         if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
             ssock->verify_status |= PJ_SSL_CERT_EISSUER_NOT_FOUND;
@@ -331,11 +335,11 @@ static int tls_cert_verify_cb(gnutls_session_t session)
         else
             ssock->verify_status |= PJ_SSL_CERT_EUNKNOWN;
 
-        return GNUTLS_E_CERTIFICATE_ERROR;
+        if (ssock->param.verify_peer)
+            return GNUTLS_E_CERTIFICATE_ERROR;
     }
 
-    /* When verification is not requested just return ok here, however
-     * applications can still get the verification status. */
+    if (ssock->param.verify_peer) {
         gnutls_x509_crt_t cert;
         unsigned int cert_list_size;
         const gnutls_datum_t *cert_list;
@@ -376,6 +380,8 @@ static int tls_cert_verify_cb(gnutls_session_t session)
         return GNUTLS_E_CERTIFICATE_ERROR;
     }
 
+    /* verify_peer is false: allow the handshake to complete. Upper layers
+     * will read ssock->verify_status to enforce their own policy. */
     return GNUTLS_E_SUCCESS;
 }

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/pjsip/pjproject/commit/ef684252bb62b0716675b6e99ad7fe4c90e28920nvdPatch
github.com/pjsip/pjproject/security/advisories/GHSA-x2fv-6j6c-pxmxnvdPatchVendor Advisory
github.com/pjsip/pjproject/releases/tag/2.17nvdProductRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000