CVE-2022-21723 is a medium-severity vulnerability classified under CWE-125 (Out-of-bounds Read) affecting the pjproject component of the PJSIP multimedia communication library. PJSIP is an open-source library written in C that implements widely used communication protocols such as SIP (Session Initiation Protocol), SDP, RTP, STUN, TURN, and ICE. The vulnerability exists in versions 2.11.1 and earlier. It arises when the library parses incoming SIP messages containing malformed multipart content. Specifically, the malformed multipart causes the parser to read memory beyond the intended buffer boundaries, leading to an out-of-bounds read condition. This can result in the exposure of sensitive memory contents or cause application instability or crashes due to invalid memory access. The vulnerability affects all users of PJSIP that accept SIP multipart messages, which is common in VoIP and multimedia communication applications. No known workarounds exist, but a patch addressing the issue has been committed to the master branch of the pjproject repository. There are no known exploits in the wild at the time of this analysis. The vulnerability does not require authentication or user interaction to be triggered, as it is exploitable by sending a crafted SIP message to a vulnerable endpoint. The root cause is improper input validation and boundary checking during multipart parsing in the SIP message processing code.

For European organizations, the impact of this vulnerability primarily concerns entities relying on PJSIP-based communication infrastructure, such as VoIP providers, telephony systems, unified communications platforms, and multimedia conferencing solutions. Exploitation could lead to information disclosure by reading sensitive memory contents, potentially exposing credentials, session tokens, or other confidential data. Additionally, the out-of-bounds read may cause service instability or crashes, resulting in denial of service conditions that disrupt communication services. This can affect critical business operations, especially in sectors like finance, healthcare, government, and telecommunications where reliable and secure communication is essential. Since PJSIP is widely used in embedded devices and softphones, the vulnerability could also impact Internet of Things (IoT) devices and network equipment deployed across European networks. The lack of known exploits reduces immediate risk, but the ease of exploitation by sending crafted SIP messages means attackers could develop exploits, increasing future risk. The vulnerability's impact on confidentiality and availability makes it a concern for organizations handling sensitive communications and requiring high service uptime.

European organizations should prioritize upgrading all PJSIP deployments to versions later than 2.11.1 where the patch is applied. Since no workarounds exist, patching is the primary mitigation strategy. Network administrators should implement SIP message filtering and deep packet inspection to detect and block malformed multipart SIP messages at the perimeter or session border controllers (SBCs). Deploying anomaly detection systems that monitor SIP traffic for unusual multipart structures can help identify exploitation attempts. Organizations should also conduct an inventory of all systems using PJSIP, including embedded devices and softphones, to ensure comprehensive patch coverage. Where immediate patching is not feasible, isolating vulnerable systems in segmented network zones with strict access controls can reduce exposure. Logging and monitoring SIP traffic for crashes or unusual behavior can provide early warning of exploitation attempts. Finally, organizations should engage with vendors of PJSIP-based products to confirm patch availability and deployment timelines.