CVE-2026-29068 identifies a stack-based buffer overflow vulnerability (CWE-121) in the pjproject multimedia communication library, specifically in the pjmedia-codec module responsible for parsing RTP payloads. PJSIP is widely used in VoIP and multimedia applications for real-time communication. The vulnerability arises when the RTP payload contains more frames than the buffer allocated by the caller can accommodate, leading to an overflow on the stack. This memory corruption can be exploited remotely without any authentication or user interaction, as the attacker only needs to send a specially crafted RTP stream to the vulnerable system. The overflow can result in arbitrary code execution or denial of service, compromising the confidentiality, integrity, and availability of affected systems. The vulnerability affects all pjproject versions prior to 2.17, where the issue has been patched. The CVSS 4.0 base score is 8.7, reflecting its high severity due to network attack vector, low complexity, no privileges or user interaction required, and high impact on availability. Although no exploits have been reported in the wild yet, the vulnerability's characteristics make it a critical concern for organizations relying on pjsip for multimedia communications.

The impact of CVE-2026-29068 is significant for organizations using pjproject in their communication infrastructure. Successful exploitation can lead to remote code execution, allowing attackers to take control of affected systems, intercept or manipulate communications, and disrupt services. This can compromise sensitive voice and video data, damage organizational reputation, and cause operational downtime. Telecommunications providers, enterprises using VoIP solutions, and any service relying on pjsip for real-time multimedia communication are at risk. The vulnerability's network-exploitable nature and lack of required authentication increase the attack surface, potentially enabling widespread exploitation if weaponized. Given the critical role of communication systems, exploitation could also facilitate further lateral movement within networks or serve as a foothold for advanced persistent threats.

Organizations should immediately upgrade all instances of pjproject to version 2.17 or later, where the vulnerability is patched. For environments where immediate upgrading is not feasible, network-level mitigations such as filtering or blocking suspicious RTP traffic from untrusted sources can reduce exposure. Deploying intrusion detection and prevention systems (IDS/IPS) with signatures targeting malformed RTP payloads may help detect exploitation attempts. Regularly auditing and monitoring communication infrastructure logs for anomalies is recommended. Additionally, applying strict access controls and network segmentation to isolate vulnerable multimedia communication servers can limit potential damage. Vendors and integrators should verify that their products incorporating pjsip have incorporated the patch. Finally, maintaining an up-to-date asset inventory of systems using pjproject will aid in comprehensive remediation.