PJSIP is an open-source multimedia communication library widely used for VoIP and video streaming applications. In versions 2.16 and earlier of pjproject, a critical heap-based buffer overflow vulnerability (CVE-2026-26967) exists in the H.264 unpacketizer module. This vulnerability occurs during the processing of Secure Real-time Transport Protocol (SRTP) packets that carry H.264 video data. Specifically, the unpacketizer reads a 2-byte Network Abstraction Layer (NAL) unit size field from the packet payload without verifying that both bytes reside within the bounds of the payload buffer. This lack of bounds checking can lead to a heap buffer overflow when malformed or maliciously crafted SRTP packets are received. Exploiting this flaw can result in arbitrary code execution, memory corruption, or application crashes, compromising confidentiality, integrity, and availability of affected systems. The vulnerability requires no authentication or user interaction and can be triggered remotely by sending crafted SRTP packets to vulnerable endpoints. The issue has been addressed in a patch committed to the pjproject repository (commit f821c214e52b11bae11e4cd3c7f0864538fb5491). Given the critical nature of the flaw and the widespread use of PJSIP in multimedia communication solutions, timely patching is essential to prevent exploitation.

The impact of CVE-2026-26967 is significant for organizations relying on PJSIP for multimedia communication, particularly those handling H.264 video streams over SRTP. Successful exploitation can lead to remote code execution, allowing attackers to take control of affected systems, steal sensitive information, disrupt communications, or pivot within networks. The heap-based buffer overflow can also cause denial of service through application crashes, affecting service availability. Since the vulnerability requires no authentication or user interaction, it can be exploited by unauthenticated remote attackers, increasing the risk of widespread attacks. Critical infrastructure, telecommunications providers, unified communications platforms, and any enterprise using PJSIP-based solutions are at risk. The vulnerability could be leveraged in targeted attacks or large-scale campaigns to disrupt voice and video communications, impacting business continuity and data security.

To mitigate this vulnerability, organizations should immediately apply the official patch provided by the pjproject maintainers (commit f821c214e52b11bae11e4cd3c7f0864538fb5491). If patching is not immediately feasible, consider implementing network-level controls such as filtering or blocking malformed SRTP packets from untrusted sources. Deploy intrusion detection/prevention systems (IDS/IPS) with updated signatures capable of detecting exploitation attempts targeting this vulnerability. Conduct thorough testing of multimedia communication applications to ensure they use updated PJSIP versions. Additionally, implement strict network segmentation to limit exposure of vulnerable endpoints and monitor logs for unusual SRTP traffic patterns. Regularly update and audit all multimedia communication components to prevent similar vulnerabilities. Educate security teams about this specific threat to enhance incident response readiness.