PJSIP is an open-source multimedia communication library widely used in VoIP and real-time communication applications. Versions up to 2.16 contain a heap-based buffer overflow vulnerability (CWE-122) in the DNS parser component, specifically in the handling of the name length field within DNS responses when using PJSIP's built-in DNS resolver. This flaw allows an attacker to craft malicious DNS responses that overflow the heap buffer, leading to memory corruption. The vulnerability does not affect users who rely on the operating system's DNS resolver (e.g., getaddrinfo()) or those who configure PJSIP to use an external DNS resolver via pjsip_resolver_set_ext_resolver(). Exploitation requires no privileges or user interaction but has a high attack complexity due to the need to control DNS responses. The CVSS 4.0 score is 8.4 (high severity), reflecting the potential for remote code execution or denial of service. The vulnerability was publicly disclosed on March 20, 2026, and fixed in PJSIP version 2.17. For environments where upgrading is not immediately feasible, disabling internal DNS resolution by setting nameserver_count to zero or switching to an external resolver are recommended workarounds.

The heap-based buffer overflow in PJSIP's DNS parser can lead to severe consequences including remote code execution, application crashes, or denial of service. Given PJSIP's widespread use in VoIP systems, IP telephony, and multimedia communication platforms, exploitation could disrupt critical communication infrastructure, compromise confidentiality and integrity of communications, and potentially allow attackers to execute arbitrary code on affected systems. This could lead to interception or manipulation of voice or video calls, unauthorized access to communication endpoints, and broader network compromise. The vulnerability's remote exploitability without authentication increases the risk profile, especially in environments exposing PJSIP services to untrusted networks. Organizations relying on PJSIP for real-time communications are at risk of operational disruption and data breaches if unpatched.

1. Upgrade all PJSIP pjproject deployments to version 2.17 or later, where the vulnerability is fixed. 2. For environments unable to upgrade immediately, disable the built-in DNS resolver by setting nameserver_count to zero in the PJSIP configuration to prevent use of the vulnerable DNS parser. 3. Alternatively, configure PJSIP to use an external DNS resolver implementation via pjsip_resolver_set_ext_resolver(), which bypasses the vulnerable code path. 4. Monitor network traffic for anomalous DNS responses that could indicate exploitation attempts. 5. Employ network-level protections such as DNS response validation and filtering to reduce exposure to malicious DNS packets. 6. Conduct thorough testing of communication applications after applying mitigations to ensure stability and functionality. 7. Maintain an inventory of all systems using PJSIP to ensure comprehensive patching and configuration management. 8. Educate development and operations teams about the risks of using built-in DNS resolvers in security-sensitive applications.