CVE-2026-33069 is a medium-severity vulnerability classified as CWE-125 (Out-of-bounds Read) affecting the pjsip pjproject multimedia communication library, specifically versions 2.16 and earlier. The vulnerability exists in the pjsip_multipart_parse() function, which handles parsing of multipart SIP messages and SDP content. During boundary string matching, the pointer 'curptr' is advanced beyond the delimiter without confirming it remains within the buffer bounds, leading to a heap out-of-bounds read of 1-2 bytes adjacent to the intended buffer. This flaw can cause unintended disclosure of adjacent heap memory contents, potentially leaking sensitive information processed in memory. Exploitation requires no privileges or user interaction and can be triggered remotely by sending crafted SIP messages with multipart bodies to vulnerable systems. The vulnerability does not directly allow code execution or denial of service but poses confidentiality risks. The issue was publicly disclosed on March 20, 2026, and resolved in pjproject version 2.17. No known exploits have been reported in the wild to date. The vulnerability affects all applications and devices using pjproject for SIP multimedia communications that process multipart message bodies or SDP content, including VoIP softphones, IP PBXs, and communication servers.

The primary impact of CVE-2026-33069 is the potential disclosure of sensitive information due to out-of-bounds heap reads. Attackers can remotely send crafted SIP messages with multipart bodies to vulnerable systems, causing them to leak 1-2 bytes of adjacent heap memory. Although the amount of leaked data per request is small, repeated exploitation could allow attackers to piece together sensitive information such as cryptographic material, session tokens, or other in-memory data, undermining confidentiality. This could facilitate further attacks like session hijacking or credential theft. The vulnerability does not directly affect system integrity or availability, but information leakage can have serious consequences in communication environments. Organizations relying on pjproject-based VoIP infrastructure, including enterprises, service providers, and government agencies, may face risks of data exposure and privacy violations. The lack of authentication or user interaction requirements increases the attack surface, enabling remote exploitation from unauthenticated attackers. The impact is heightened in environments with high volumes of SIP traffic or sensitive communications.

To mitigate CVE-2026-33069, organizations should upgrade all instances of pjproject to version 2.17 or later, where the vulnerability is fixed. If immediate upgrading is not feasible, applying custom patches that add boundary checks after advancing the pointer in pjsip_multipart_parse() can reduce risk. Network-level mitigations include deploying SIP-aware intrusion detection and prevention systems (IDS/IPS) to detect and block malformed multipart SIP messages that could trigger the vulnerability. Restricting SIP traffic to trusted sources and implementing strict SIP message validation can reduce exposure. Monitoring logs for unusual SIP multipart message patterns may help identify exploitation attempts. Additionally, organizations should audit all applications and devices using pjproject for SIP processing to ensure they are updated. Regular security assessments and penetration testing focusing on SIP message handling can help detect residual risks. Finally, applying network segmentation to isolate VoIP infrastructure limits attacker lateral movement if exploitation occurs.