CVE-2026-28799 is a use-after-free vulnerability classified under CWE-416 affecting the PJSIP pjproject library, a widely used open-source multimedia communication stack written in C. The vulnerability resides in the event subscription framework component (evsub.c) and is specifically triggered during presence unsubscription operations, i.e., when a SUBSCRIBE request is sent with an Expires header set to zero. This causes the library to free memory prematurely while still referencing it, leading to heap corruption. Because the flaw can be triggered remotely over the network without authentication or user interaction, it poses a significant security risk. The vulnerability affects all pjproject versions prior to 2.17, where it has been patched. The CVSS 4.0 base score is 8.7, indicating high severity, with an attack vector of network, no privileges required, and no user interaction needed. Exploitation could allow attackers to execute arbitrary code or cause denial of service by crashing the affected application. The vulnerability is particularly critical for systems relying on PJSIP for VoIP, SIP-based communication, or multimedia conferencing solutions. Although no known exploits have been reported in the wild yet, the ease of exploitation and potential impact warrant immediate remediation.

The impact of CVE-2026-28799 is substantial for organizations using pjproject in their communication infrastructure. Successful exploitation can lead to remote code execution, allowing attackers to take control of affected systems, or cause denial of service by crashing services. This threatens confidentiality, integrity, and availability of communication platforms, potentially disrupting business operations, exposing sensitive communications, or enabling further lateral movement within networks. Given the network-exploitable nature and lack of authentication requirements, attackers can target exposed VoIP servers or multimedia gateways directly. This vulnerability could be leveraged in targeted attacks against enterprises, service providers, or government agencies relying on PJSIP-based solutions. The widespread use of pjproject in open-source telephony stacks and embedded devices increases the scope of affected systems globally.

To mitigate CVE-2026-28799, organizations should immediately upgrade pjproject to version 2.17 or later, where the vulnerability is patched. For environments where immediate upgrade is not feasible, apply any available vendor-provided patches or workarounds that disable or restrict the event subscription framework, particularly presence unsubscription features. Network-level mitigations include restricting access to SIP and related ports to trusted sources only, deploying intrusion detection/prevention systems with signatures for suspicious SUBSCRIBE with Expires=0 requests, and monitoring logs for anomalous subscription activity. Additionally, implement network segmentation to isolate VoIP infrastructure from general user networks. Regularly audit and update all telephony and multimedia communication components to ensure they are not running vulnerable versions. Finally, maintain an incident response plan specific to VoIP infrastructure compromise scenarios.