CVE-2022-21722 is a medium-severity vulnerability identified in the pjproject component of the PJSIP multimedia communication library, which is widely used for implementing standard protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. The vulnerability is classified as CWE-125, an out-of-bounds read, and affects pjproject versions 2.11.1 and earlier. Specifically, the flaw arises in the handling of incoming RTP (Real-time Transport Protocol) and RTCP (RTP Control Protocol) packets within the PJMEDIA module. Due to insufficient bounds checking, certain crafted RTP/RTCP packets can trigger out-of-bounds memory reads. This can lead to unintended disclosure of memory contents, potentially leaking sensitive information or causing application instability. The vulnerability does not require authentication or user interaction, as it can be triggered by receiving maliciously crafted network packets. While no known exploits have been reported in the wild, the issue poses a risk to any system using PJMEDIA to accept RTP/RTCP traffic, including VoIP infrastructure, video conferencing systems, and other real-time communication platforms. A patch addressing this vulnerability has been committed to the master branch of the pjproject repository, but no official workaround exists. The vulnerability impacts confidentiality due to possible memory disclosure, and may affect integrity or availability if the out-of-bounds read leads to application crashes or undefined behavior.

European organizations that rely on PJSIP-based communication systems, such as VoIP telephony, video conferencing, and unified communications, could face risks from this vulnerability. The out-of-bounds read could allow attackers to glean sensitive information from memory, potentially exposing credentials, session data, or cryptographic material. Additionally, exploitation could cause service disruptions through application crashes, impacting availability of critical communication services. This is particularly concerning for sectors with high dependency on real-time communications, including telecommunications providers, financial institutions, healthcare, and government agencies. The vulnerability's network-exposed nature means attackers can exploit it remotely without authentication, increasing the attack surface. Given the widespread use of PJSIP in open-source and commercial communication products, the impact could be broad. However, the absence of known exploits and the medium severity rating suggest the immediate risk is moderate. Nonetheless, organizations should prioritize patching to prevent potential escalation or targeted attacks, especially in environments where confidentiality and availability of communications are paramount.

Organizations should promptly update pjproject to a version beyond 2.11.1 where the patch addressing CVE-2022-21722 is applied. Since no official workarounds exist, patching is the primary mitigation. Additionally, network-level protections can reduce exposure: implement strict filtering and validation of RTP/RTCP traffic at firewalls and session border controllers to block malformed or suspicious packets. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect anomalous RTP/RTCP traffic patterns. For critical systems, consider isolating communication servers from untrusted networks and enforcing strict access controls. Regularly audit and monitor logs for unusual RTP/RTCP traffic or application crashes that may indicate exploitation attempts. Vendors using PJSIP in their products should verify and integrate the patch promptly and communicate updates to customers. Finally, conduct security testing of communication infrastructure to identify and remediate any residual vulnerabilities related to RTP/RTCP packet handling.