CVE-2022-24786 is a medium-severity vulnerability affecting the pjproject component of the PJSIP multimedia communication library, versions 2.12 and earlier. PJSIP is an open-source library written in C, widely used for multimedia communication applications such as VoIP, video conferencing, and instant messaging. The vulnerability arises from an out-of-bounds read condition in the function pjmedia_rtcp_fb_parse_rpsi(), which is responsible for parsing RTCP feedback packets, specifically the Reference Picture Selection Indication (RPSI) packets. While PJSIP itself does not parse incoming RPSI packets by default, any application that directly invokes this parsing function is susceptible. The out-of-bounds read (CWE-125) can lead to the application reading memory beyond the intended buffer, potentially exposing sensitive information or causing application instability. Additionally, the tags indicate a related out-of-bounds write issue (CWE-787), which may exacerbate the impact by corrupting memory. No known exploits are currently active in the wild, and no workarounds exist aside from applying the patch available in the master branch of the pjsip/pjproject GitHub repository. The vulnerability requires crafted RTCP packets to trigger, which implies that an attacker must be able to send malicious RTCP feedback messages to the target application. Exploitation does not require user interaction but does require the application to process these packets, which is typical in real-time communication scenarios. The vulnerability primarily affects confidentiality and integrity, with a potential for denial-of-service if the application crashes due to memory errors. Availability impact is possible but less likely to be severe unless exploited for crashing services. The vulnerability is relevant for any multimedia communication software built on pjproject that processes RTCP feedback, especially in environments where untrusted or external RTCP packets are received.

For European organizations, the impact of CVE-2022-24786 depends on the extent to which pjproject-based applications are deployed within their communication infrastructure. Many enterprises, telecom providers, and service vendors in Europe use PJSIP for VoIP, video conferencing, and unified communications. Exploitation could lead to unauthorized disclosure of memory contents, potentially leaking sensitive information such as call metadata or cryptographic material. Furthermore, memory corruption could destabilize communication services, causing interruptions or degraded service quality. This is particularly critical for sectors relying on real-time communications, such as finance, healthcare, government, and critical infrastructure operators. Given the lack of known exploits, the immediate risk is moderate, but the vulnerability could be leveraged in targeted attacks or supply chain compromises. The confidentiality and integrity of communications could be compromised, affecting compliance with European data protection regulations like GDPR. Additionally, service disruptions could impact business continuity and operational resilience.

To mitigate this vulnerability, European organizations should: 1) Identify all applications and services using pjproject versions 2.12 or earlier, especially those handling RTCP feedback packets. 2) Apply the official patch from the pjsip/pjproject GitHub repository master branch as soon as possible to remediate the out-of-bounds read and write issues. 3) If immediate patching is not feasible, restrict network access to communication services to trusted networks and endpoints to reduce exposure to malicious RTCP packets. 4) Implement deep packet inspection or RTCP packet filtering at network boundaries to detect and block malformed or suspicious RTCP feedback messages. 5) Monitor application logs and network traffic for anomalies indicative of exploitation attempts, such as unexpected crashes or malformed RTCP packets. 6) Engage with vendors or software maintainers to ensure updated versions of dependent applications are deployed. 7) Conduct penetration testing and fuzzing of RTCP packet handling in pjproject-based applications to proactively identify residual vulnerabilities. These steps go beyond generic advice by focusing on network-level controls and proactive detection tailored to the nature of the vulnerability.