CVE-2026-32942 is a use-after-free vulnerability classified under CWE-416, found in the pjsip pjproject library, a widely used open-source multimedia communication stack written in C. The vulnerability exists in versions 2.16 and earlier, specifically within the ICE (Interactive Connectivity Establishment) session management component. The flaw occurs due to race conditions between the destruction of ICE sessions and the execution of associated callbacks, which leads to heap memory being accessed after it has been freed. This condition can cause memory corruption, potentially allowing an attacker to execute arbitrary code, crash the application, or manipulate data. The vulnerability is remotely exploitable without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The CVSS v4.0 base score of 8 reflects the high impact on confidentiality and integrity, with no impact on availability. The issue was addressed and fixed in pjproject version 2.17. No public exploits have been reported yet, but the nature of the vulnerability and its ease of exploitation make it a critical concern for applications relying on pjproject for real-time communications, such as VoIP systems, video conferencing, and other multimedia services.

The vulnerability poses significant risks to organizations worldwide that utilize pjproject in their communication infrastructure. Exploitation could allow attackers to execute arbitrary code remotely, leading to full system compromise, data leakage, or persistent backdoors. The integrity of communication sessions can be undermined, potentially enabling interception or manipulation of sensitive multimedia data. Additionally, denial-of-service conditions could disrupt critical communication services. Given pjproject's widespread use in VoIP and multimedia applications, affected organizations include telecom providers, enterprises with unified communications, and service providers. The lack of authentication or user interaction requirements increases the attack surface and ease of exploitation, potentially enabling large-scale automated attacks. The absence of known exploits currently provides a window for proactive patching, but the high severity demands immediate attention to prevent future exploitation.

Organizations should promptly upgrade all pjproject deployments to version 2.17 or later, where the vulnerability is fixed. For environments where immediate upgrading is not feasible, applying temporary mitigations such as isolating vulnerable services behind firewalls, restricting network access to trusted hosts, and monitoring for unusual ICE session activity can reduce risk. Implementing runtime protections like memory safety tools (e.g., AddressSanitizer) during development and testing can help detect similar issues. Additionally, organizations should audit their communication infrastructure to identify all instances of pjproject usage, including embedded devices and third-party applications. Regularly updating and patching multimedia communication libraries, combined with network segmentation and intrusion detection systems tuned for VoIP anomalies, will further enhance security posture against exploitation attempts.