CVE-2026-32942 identifies a use-after-free vulnerability (CWE-416) in the PJSIP pjproject library, a widely used open-source multimedia communication framework written in C. The vulnerability exists in versions 2.16 and earlier, specifically within the Interactive Connectivity Establishment (ICE) session management code. The root cause is a race condition between the destruction of an ICE session and the invocation of its associated callbacks, which leads to heap memory being accessed after it has been freed. This unsafe memory access can cause application crashes or potentially allow remote attackers to execute arbitrary code by manipulating the timing of session events. The vulnerability is exploitable over the network without requiring authentication or user interaction, increasing its risk profile. The issue was addressed and fixed in version 2.17 of pjproject. Although no active exploits have been reported, the high CVSS 4.0 score of 8.0 reflects the vulnerability's critical impact on confidentiality and integrity due to the potential for remote code execution and denial of service. The vulnerability affects any system using vulnerable pjproject versions in VoIP, video conferencing, or other multimedia communication applications that rely on PJSIP for session management and ICE connectivity.

The vulnerability poses significant risks to organizations deploying PJSIP-based communication systems, including VoIP providers, unified communications platforms, and multimedia conferencing solutions. Exploitation can lead to denial of service through application crashes, disrupting critical communication services. More severely, attackers could achieve remote code execution, compromising the confidentiality and integrity of affected systems. This could enable interception or manipulation of voice and video communications, unauthorized access to sensitive data, or pivoting within internal networks. Given the lack of authentication and user interaction requirements, the attack surface is broad, potentially allowing widespread exploitation. Organizations relying on vulnerable versions may face operational disruptions, reputational damage, and regulatory consequences if communications are compromised. The absence of known exploits in the wild provides a window for proactive mitigation, but the high severity demands urgent attention.

Organizations should immediately upgrade all instances of pjproject to version 2.17 or later, where the vulnerability is patched. For environments where immediate upgrading is not feasible, applying temporary mitigations such as disabling ICE session callbacks or isolating vulnerable components within network segments can reduce exposure. Implementing network-level protections like firewall rules to restrict access to PJSIP services and intrusion detection systems tuned to detect anomalous session behaviors can help identify exploitation attempts. Regularly auditing and monitoring communication system logs for crashes or unusual activity related to ICE sessions is recommended. Additionally, organizations should maintain an up-to-date asset inventory to identify all deployments of pjproject and ensure consistent patch management. Engaging with vendors or service providers to confirm their use of patched versions is also critical. Finally, incorporating this vulnerability into incident response plans will prepare teams to respond swiftly if exploitation is detected.