PJSIP is an open-source multimedia communication library widely used for VoIP and video streaming applications. In versions 2.16 and earlier, the H.264 unpacketizer component contains a critical heap-based buffer overflow vulnerability (CWE-122) identified as CVE-2026-26967. The vulnerability arises when the unpacketizer processes Secure Real-time Transport Protocol (SRTP) packets containing H.264 video data. Specifically, the code reads a 2-byte NAL (Network Abstraction Layer) unit size field from the packet payload without verifying that both bytes reside within the bounds of the payload buffer. This lack of boundary checking allows an attacker to craft malformed SRTP packets that cause the unpacketizer to read beyond the allocated buffer, resulting in heap memory corruption. Exploiting this flaw can lead to arbitrary code execution or application crashes, compromising confidentiality, integrity, and availability of the affected system. The vulnerability requires no authentication or user interaction and can be triggered remotely by sending malicious video streams. The patch addressing this issue was committed to the pjproject repository, correcting the boundary validation logic to prevent out-of-bounds reads. Given the widespread use of PJSIP in multimedia and VoIP applications, this vulnerability poses a significant risk to systems handling H.264 video over SRTP.

The heap-based buffer overflow in PJSIP's H.264 unpacketizer can have severe consequences for organizations relying on pjproject for multimedia communication. Successful exploitation can lead to remote code execution, allowing attackers to take control of affected systems, steal sensitive information, or disrupt services. This can compromise the confidentiality and integrity of communications and potentially lead to denial of service conditions. Since the vulnerability requires no authentication or user interaction, attackers can exploit it remotely, increasing the attack surface. Organizations using PJSIP in VoIP infrastructure, video conferencing, or other real-time multimedia applications are at risk. The impact is especially critical for sectors where secure and reliable communication is essential, such as government, finance, healthcare, and critical infrastructure. The absence of known exploits in the wild provides a window for proactive patching, but the high CVSS score (8.1) underscores the urgency of mitigation.

To mitigate CVE-2026-26967, organizations should immediately update PJSIP pjproject to the patched version that includes the fix for the H.264 unpacketizer boundary check. If upgrading is not immediately feasible, applying any available vendor-provided patches or workarounds that enforce strict validation of NAL unit size fields is critical. Network-level protections such as deep packet inspection and filtering of malformed SRTP packets can reduce exposure. Deploying intrusion detection/prevention systems (IDS/IPS) with signatures targeting malformed H.264 SRTP packets may help detect exploitation attempts. Additionally, isolating multimedia communication servers and limiting their network exposure reduces risk. Regularly auditing and monitoring logs for unusual activity related to video streaming can provide early warning of exploitation attempts. Finally, organizations should ensure secure coding practices and fuzz testing for multimedia processing components to prevent similar vulnerabilities.