CVE-2022-24792 is a denial-of-service (DoS) vulnerability identified in the PJSIP multimedia communication library, specifically in the pjproject component versions 2.12 and earlier. PJSIP is an open-source library widely used for multimedia communication applications, including VoIP and SIP-based systems. The vulnerability arises from improper handling of WAV audio files on 32-bit systems. When an application using a vulnerable version of pjproject attempts to play or read a WAV file containing data chunks with lengths exceeding the maximum value representable by a 31-bit integer, the code enters an infinite loop due to an unreachable exit condition (classified under CWE-835). This infinite loop causes the application to hang or crash, resulting in a denial-of-service condition. Notably, this issue does not affect 64-bit applications because of differences in integer size and handling. Additionally, applications that only process trusted WAV files are less likely to be impacted, as the vulnerability is triggered by malformed or maliciously crafted WAV files. A patch addressing this vulnerability is available on the master branch of the pjsip/project GitHub repository. As an interim mitigation, applications can reject WAV files from untrusted sources or perform validation checks on WAV file structure and chunk sizes before processing them. There are no known exploits in the wild at this time, and the vulnerability was publicly disclosed in April 2022.

For European organizations, the primary impact of this vulnerability is the potential disruption of multimedia communication services that rely on PJSIP pjproject on 32-bit systems. This could affect VoIP infrastructure, unified communications platforms, and any custom applications using PJSIP for audio playback or processing. A successful exploitation would cause service outages or degraded availability, impacting business continuity and potentially leading to operational downtime. Confidentiality and integrity are not directly compromised by this vulnerability, as it does not allow code execution or data manipulation beyond causing an application hang. However, the denial-of-service effect could be leveraged in targeted attacks against critical communication infrastructure, especially in sectors such as telecommunications, emergency services, and enterprises with legacy 32-bit systems. The risk is mitigated in environments running 64-bit applications or where WAV files are strictly controlled and validated. Nonetheless, organizations with legacy hardware or software stacks that have not updated PJSIP pjproject are at higher risk of service disruption.

To mitigate this vulnerability, European organizations should: 1) Upgrade all instances of PJSIP pjproject to versions later than 2.12 where the patch is applied, preferably by pulling the latest stable release from the official repository rather than relying on the master branch alone. 2) Identify and inventory all 32-bit systems running applications that utilize PJSIP for audio playback or processing, prioritizing updates or migration to 64-bit systems where feasible. 3) Implement strict validation of WAV files before processing, including checks on chunk sizes and file integrity, to reject malformed or suspicious files from untrusted sources. 4) Configure applications to reject WAV files received from unknown or untrusted origins to reduce exposure to maliciously crafted files. 5) Monitor application logs and system behavior for signs of hangs or crashes related to audio processing, enabling rapid detection and response to potential exploitation attempts. 6) Where patching or upgrading is not immediately possible, consider isolating vulnerable systems from external networks or limiting their exposure to untrusted multimedia content. These steps go beyond generic advice by focusing on legacy system identification, file validation, and operational monitoring tailored to the nature of this vulnerability.