CVE-2026-29068 is a stack-based buffer overflow vulnerability identified in the pjproject open-source multimedia communication library, specifically within the pjmedia-codec module responsible for parsing RTP payloads. The vulnerability arises when the RTP payload contains more frames than the buffer allocated by the caller can accommodate, resulting in an overflow of the stack buffer. This memory corruption can lead to arbitrary code execution or application crashes. The flaw affects all pjproject versions prior to 2.17 and does not require any authentication, user interaction, or privileges to exploit, making it remotely exploitable over the network. The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow) and has a CVSS 4.0 base score of 8.7, reflecting its high severity due to ease of exploitation and potential impact on confidentiality, integrity, and availability. The issue was publicly disclosed and patched in version 2.17 of pjproject. No public exploit code or active exploitation has been reported to date. Pjsip is widely used in VoIP systems, IP telephony, and multimedia communication applications, making this vulnerability relevant to many organizations relying on these technologies.

The exploitation of CVE-2026-29068 can have severe consequences for organizations using vulnerable versions of pjproject. Successful exploitation can lead to arbitrary code execution, allowing attackers to take control of affected systems, potentially leading to data breaches, interception or manipulation of voice communications, and disruption of telephony services. Additionally, the vulnerability can cause denial of service by crashing the affected application, impacting availability of critical communication infrastructure. Given the widespread use of pjsip in VoIP and multimedia communication platforms, the impact can extend to enterprises, service providers, and government agencies relying on these technologies for real-time communications. The lack of authentication and user interaction requirements increases the risk of remote exploitation by attackers scanning for vulnerable endpoints. Although no known exploits are currently in the wild, the high CVSS score and nature of the vulnerability warrant urgent remediation to prevent future attacks.

To mitigate CVE-2026-29068, organizations should immediately upgrade pjproject to version 2.17 or later, where the vulnerability has been patched. For environments where immediate upgrade is not feasible, implementing network-level protections such as strict RTP traffic filtering, intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous RTP payloads, and limiting exposure of pjsip-based services to untrusted networks can reduce attack surface. Additionally, applying runtime protections like stack canaries, address space layout randomization (ASLR), and control flow integrity (CFI) can help mitigate exploitation impact. Regularly monitoring logs and network traffic for unusual RTP frame patterns or crashes in multimedia services can aid early detection of exploitation attempts. Vendors and integrators using pjproject in their products should verify the inclusion of the patched version and communicate updates to customers promptly. Finally, maintaining an incident response plan for potential exploitation scenarios involving communication infrastructure is recommended.