CVE-2026-25994 is a buffer overflow vulnerability classified under CWE-120 found in the PJNATH ICE Session component of the pjsip pjproject library, versions 2.16 and earlier. PJSIP is a widely used open-source multimedia communication library written in C, commonly employed in VoIP and real-time communication applications. The vulnerability arises when the system processes credentials containing usernames that exceed expected length limits. Due to the lack of proper bounds checking during buffer copy operations, an attacker can supply an excessively long username, causing a buffer overflow. This overflow can overwrite adjacent memory, potentially leading to arbitrary code execution or application crashes. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS v4.0 base score is 8.1, reflecting its high severity, with vector metrics indicating network attack vector, low attack complexity, no privileges or user interaction needed, and high impact on confidentiality, integrity, and availability. Although no exploits have been reported in the wild yet, the nature of the vulnerability makes it a critical concern for systems using vulnerable pjsip versions. No official patches are listed yet, so mitigation currently relies on defensive coding practices and monitoring for updates from the vendor.

For European organizations, the impact of this vulnerability can be significant, especially for those deploying pjsip-based communication systems in telephony, unified communications, or multimedia conferencing solutions. Exploitation could allow attackers to execute arbitrary code remotely, leading to full compromise of affected systems, data breaches, or denial of service conditions disrupting critical communication services. This could affect confidentiality by exposing sensitive call or user data, integrity by allowing manipulation of communication sessions, and availability by crashing or destabilizing services. Given the widespread use of pjsip in open-source and commercial VoIP products, the scope of affected systems is broad. Disruption of communication infrastructure could have cascading effects on business operations, emergency services, and governmental communications across Europe. The lack of required authentication or user interaction lowers the barrier for attackers, increasing the likelihood of exploitation attempts once a public exploit becomes available.

European organizations should immediately inventory their use of pjsip pjproject libraries and identify versions at or below 2.16. Until an official patch is released, organizations should implement strict input validation on usernames and credentials at the application or network boundary to enforce maximum length limits and reject anomalous inputs. Employing network-level protections such as Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to detect and block suspiciously long username fields in SIP or related traffic can reduce exposure. Monitoring logs for abnormal authentication attempts with unusually long usernames can provide early warning of exploitation attempts. Organizations should subscribe to vendor advisories and CVE databases to apply patches promptly once available. Additionally, isolating critical communication servers and applying the principle of least privilege can limit the impact of a successful exploit. Conducting penetration testing and code audits focusing on input handling in pjsip components can uncover other potential weaknesses.