PJSIP is an open-source multimedia communication library widely used in VoIP applications, SIP clients, and other real-time communication systems. CVE-2026-28799 identifies a heap-based use-after-free vulnerability in the event subscription framework component (evsub.c) of pjproject versions before 2.17. The vulnerability is triggered when a remote attacker sends a SUBSCRIBE request with the Expires header set to zero, indicating a presence unsubscription. During this process, the code incorrectly handles memory, freeing an object while it is still in use, leading to a use-after-free condition. This memory corruption can be exploited to execute arbitrary code remotely or cause a denial of service by crashing the application. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The patch in version 2.17 corrects the memory management logic to prevent the use-after-free condition. Although no active exploits have been reported, the high CVSS score of 8.7 reflects the critical nature of this flaw in communication infrastructures relying on pjproject.

The exploitation of this vulnerability can have severe consequences for organizations using pjproject in their communication stacks. Successful attacks could lead to remote code execution, allowing attackers to take control of affected systems, intercept or manipulate communications, or pivot within internal networks. Alternatively, denial of service attacks could disrupt critical VoIP or multimedia services, impacting business operations and communications. Given the widespread use of PJSIP in telephony, unified communications, and embedded devices, the vulnerability poses a significant risk to enterprises, service providers, and critical infrastructure operators. The lack of authentication and user interaction requirements increases the attack surface, enabling attackers to target exposed SIP endpoints directly over the network.

Organizations should immediately upgrade all instances of pjproject to version 2.17 or later, where the vulnerability is patched. For environments where immediate upgrading is not feasible, network-level mitigations such as restricting access to SIP services using firewalls or SIP-aware intrusion prevention systems can reduce exposure. Monitoring SIP traffic for anomalous SUBSCRIBE requests with Expires=0 can help detect potential exploitation attempts. Additionally, applying runtime protections like memory corruption mitigations (e.g., ASLR, DEP) and employing application-layer firewalls that understand SIP protocol semantics can further reduce risk. Vendors embedding pjproject in their products should issue firmware or software updates promptly. Regular vulnerability scanning and penetration testing focused on SIP infrastructure are recommended to identify and remediate vulnerable instances.